Re: FlexResp

[Matt Kettler <mkettler () evi-inc com>]

Mr. venkat wrote:

> Hi all,
> I am using snort on windows.
> I want to add flexresp abilities to snort.
>
> I have added resp:rst_all; to tcp rules and resp:icmp_port,icmp_host;
> to udp rules.
> these settings are added to every rule.
> Is this correct way?

Probably not. You added it to EVERY rule? Did you carefully consider all
the false positive cases of each and every rule?

Some snort rules are good block criteria. Others are more intended to be
used for informational purposes and don't signify any malicious intent
whatsoever, but can be useful when correlated against an attack that
follows. There are also plenty that are in the grey area of "this looks
a little odd but could be legitimate".

> Also when I try to add any of these to ip protocol rule snort exiting.
> Why it is exiting?
> Can't we add flexresp to ip rule? 

What did you try to have flexresp do in your ip rule? did it have
icmp_port or rst_* in it? Those are fundamentally impossible in an IP
rule. IP doesn't have ports, only hosts.

I don't think flexresp supports ip layer rules, but even if it does, the
only thing you can possibly do is icmp_host or icmp_net. Anything else
such as icmp_port would have to bomb as soon as some IP packet came by
that wasn't tcp or udp, such as icmp.






-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users