Snort mailing list archives
RE: Flex-Response, anyone using it?
From: <CGhercoias () TWEC COM>
Date: Thu, 20 May 2004 14:07:01 -0400
All, I'm receiving all the emails from this list and I'm reading pretty much all of them. I do not always post answers to the questions because I feel that I do not have enough knowledge to teach others, although I'm using snort for quite some years already. I do not know personally Paul Schmehl, but I had a chance to hear him speak at the Information Security Decisions last month in New York city. I would never call him or anybody else in such way that this individual -- IDont ThinkSo [billygates_sux () hotmail com] -- called him. Individual, which is not having even the courage to sign with his real name or send the email from a real email address. These kind of people are the sort we are fighting against on daily basis, these are the ones which tomorrow might try to hack into our systems. This individual does not belong to the professionals, he is not mature enough. He is not knowledgeable enough to be allowed to speak publicly. The admins of lists.sourceforge.net should remove his alias from any/all lists. ***************************
And though I said I don't recommend it, you could write a snort rule
that uses regex to detect the string "On Behalf Of Paul Schmehl" and reset that waste of bandwidth! *************************** Here you go: alert any $EXTERNAL_NET any -> $HOME_NET 25 ( sid: 1000589; rev: 1; msg: "Drop Email -- Waste of time"; content: "billygates_sux () hotmail com"; content: "IDont ThinkSo"; resp: rst_snd,icmp_all; classtype: bothering-activity;) Any emails from "billygates_sux () hotmail com" will go directly to > /dev/null. Thank you, ___________________________ Catalin A. Ghercoias WEB/Network Security Administrator -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of IDont ThinkSo Sent: Wednesday, May 19, 2004 4:37 PM To: halljer () auburn edu Cc: snort-users () lists sourceforge net Subject: FW: [Snort-users] Flex-Response, anyone using it? Paul's an idiot! As usual nothing of value in his writing. Flexresp works well, as all it needs to do is send out a reset packet (or icmp unreachable or such) if a certain condition is met. And yes, if you write a rule to send a reset packet when syn packet on port 25 arrives it will send one out and block the connection. HOWEVER, you should not use flexresp with normal snort smtp rules, as mail servers do not like connections being reset while it is receiving a msg. As paul only uses this only to torment admins with less knowledge than him (I don't know how that is possible) he cannot testify to its use in a real environment. If they were smarter they might just track his ass down and beat him senselessly. Flexresp is certainly not an IPS solution, but its nice on a limited scale. And though I said I don't recommend it, you could write a snort rule that uses regex to detect the string "On Behalf Of Paul Schmehl" and reset that waste of bandwidth! -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Paul Schmehl Sent: Wednesday, May 19, 2004 4:04 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] Flex-Response, anyone using it? --On Wednesday, May 19, 2004 10:07:45 AM -0500 Dusty Hall <halljer () auburn edu> wrote:
I'm curious to know how many people, if any, are using Flex-Response
and
what kind of results they have seen? I've been using it for some P2P
rules
but haven't actually tested it from the client. Any information would
be
greatly appreciated.
There's been a lot of discussion on this list about not depending upon flexresp to do much for you. Having said that, I can tell you from personal experience that it will completely prevent communication between two smtp servers. So I would say it works pretty well. Whether or not it will actually prevent an attack, I can't say from personal experience, but I *can* tell you it will irritate the hell out of an admin trying to track down a failed connections problem. :-) And yes, we still use it. Paul Schmehl (pauls () utdallas edu) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/ir/security/ ------------------------------------------------------- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _________________________________________________________________ Get 200+ ad-free, high-fidelity stations and LIVE Major League Baseball Gameday Audio! http://radio.msn.click-url.com/go/onm00200491ave/direct/01/ ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id149&alloc_id66&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Flex-Response, anyone using it?, (continued)
- Re: Flex-Response, anyone using it? James Riden (May 19)
- Re: Flex-Response, anyone using it? Jason (May 20)
- Re: Flex-Response, anyone using it? Jason (May 26)
- Upgrading snort 2.0.* to -> 2.1.2 , and now i cant .... soldier Mx (Jun 07)
- Re: Upgrading snort 2.0.* to -> 2.1.2 , and now i cant .... Michael Boman (Jun 07)
- Re: Upgrading snort 2.0.* to -> 2.1.2 , and now i cant .... Michael Boman (Jun 09)
- Re: Upgrading snort 2.0.* to -> 2.1.2 , and now i cant .... soldier Mx (Jun 10)
- Re: Upgrading snort 2.0.* to -> 2.1.2 , and now i cant .... Michael Boman (Jun 10)
- Re: FW: Flex-Response, anyone using it? Paul Schmehl (May 20)
- Re: Flex-Response, anyone using it? James Riden (May 20)