Snort mailing list archives
RE: AW: Snort& Intrusion Prevention
From: "Eric Hines" <eric.hines () appliedwatch com>
Date: Thu, 3 Jun 2004 11:52:22 -0500
Just my 2 cents here on my understanding of how FLEXRESP works in Snort. Basically from what I understand, it sends a TCP Reset to both the source (attacker) and destination (target) IP to reset the connection at both ends. However, the obvious drawbacks to FLEXRESP and tcpkills in Intrusion Prevention is timing issues. Eric Hines, GCIA CEO, President Applied Watch Technologies, Inc. http://www.appliedwatch.com -----Original Message----- From: Matt Kettler [mailto:mkettler () evi-inc com] Sent: Thursday, June 03, 2004 10:40 AM To: Maetzky, Steffen (Extern); 'Snort-User (snort-users () lists sourceforge net)' Subject: Re: AW: [Snort-users] Snort& Intrusion Prevention At 05:42 AM 6/3/2004, Maetzky, Steffen (Extern) wrote:
How does flexresp/flexresp2 communicate if it isn't a kind of inline-ids?
How does your PC communicate with other PCs on your network? It just sends packets. Flexresp is no more in-line than your desktop pc. In-line implies traffic to your lan MUST go through the snort box. Flexresp has no through requirements. Normal traffic goes AROUND it.
iface (promisc) ------- snort ------- os? (reset on receiver-side)
Flexresp generally works in the above configuration. It just sends resets out the sniffing interface. ------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users ------------------------------------------------------- This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- AW: Snort& Intrusion Prevention Maetzky, Steffen (Extern) (Jun 03)
- Message not available
- Re: AW: Snort& Intrusion Prevention Matt Kettler (Jun 03)
- RE: AW: Snort& Intrusion Prevention Eric Hines (Jun 03)
- Re: AW: Snort& Intrusion Prevention Matt Kettler (Jun 03)
- Message not available
- Re: AW: Snort& Intrusion Prevention Ravi Kumar (Jun 03)