Snort mailing list archives
Re: Flex-Response, anyone using it?
From: Jason Haar <Jason.Haar () trimble co nz>
Date: Thu, 20 May 2004 12:20:13 +1200
On Wed, May 19, 2004 at 03:04:28PM -0500, Paul Schmehl wrote:
I'm curious to know how many people, if any, are using Flex-Response and what kind of results they have seen? I've been using it for some P2P rules but haven't actually tested it from the client. Any information would be greatly appreciated.
We use it and it works well. We've turned it on for specific rules - such as BLASTER and Sasser exploits. However you much appreciate it relies VERY much on your network configuration. All TCP RSETs are sent from eth0 (your primary Ethernet interface) with spoofed IP addresses. So you network has to be configured so as to allow those packets to reach the actual client and server that it is trying to break the connection between. If there is a firewall/NAT router of any description between those packets and the end-servers, then it is likely to FAIL (as they will block this weird packet showing up from an interface that wasn't involved in the original TCP stream). But if your network topology is up to it, and the thing you are trying to break is "long lived" enough to be ruined by the RESET, then it works well. Give it a go, we specifically put a "test Active IDS" rule in so as to be able to test the effectiveness of flexresp on newly installed Snort boxes: e.g. alert tcp any any -> $HOME_NET 80 (msg:"Access denied by Active IDS \ test rule!"; uricontent:"/active-rule-SDF32434DFDF.txt";resp: rst_all;) (i.e. we just have to go to any internal Web site that flows past an IDS to test it - you should get an empty page/broken page instead of a "404 not found" error page) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Flex-Response, anyone using it? Dusty Hall (May 19)
- Re: Flex-Response, anyone using it? Paul Schmehl (May 19)
- Re: Flex-Response, anyone using it? Jason Haar (May 19)
- Re: Flex-Response, anyone using it? James Riden (May 19)
- Re: Flex-Response, anyone using it? Jason (May 19)
- Re: Flex-Response, anyone using it? James Riden (May 19)
- Re: Flex-Response, anyone using it? Jason (May 20)
- Re: Flex-Response, anyone using it? Jason (May 26)
- Re: Flex-Response, anyone using it? Jason Haar (May 19)
- Re: Flex-Response, anyone using it? Paul Schmehl (May 19)
- Upgrading snort 2.0.* to -> 2.1.2 , and now i cant .... soldier Mx (Jun 07)
- Re: Upgrading snort 2.0.* to -> 2.1.2 , and now i cant .... Michael Boman (Jun 07)
- Re: Upgrading snort 2.0.* to -> 2.1.2 , and now i cant .... Michael Boman (Jun 09)
- Re: Upgrading snort 2.0.* to -> 2.1.2 , and now i cant .... soldier Mx (Jun 10)
- Re: Upgrading snort 2.0.* to -> 2.1.2 , and now i cant .... Michael Boman (Jun 10)