Snort mailing list archives
Re: FlexResp
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 14 Apr 2005 12:13:46 -0400
Mr. venkat wrote:
Hi all, I am using snort on windows. I want to add flexresp abilities to snort. I have added resp:rst_all; to tcp rules and resp:icmp_port,icmp_host; to udp rules. these settings are added to every rule. Is this correct way?
Probably not. You added it to EVERY rule? Did you carefully consider all the false positive cases of each and every rule? Some snort rules are good block criteria. Others are more intended to be used for informational purposes and don't signify any malicious intent whatsoever, but can be useful when correlated against an attack that follows. There are also plenty that are in the grey area of "this looks a little odd but could be legitimate".
Also when I try to add any of these to ip protocol rule snort exiting. Why it is exiting? Can't we add flexresp to ip rule?
What did you try to have flexresp do in your ip rule? did it have icmp_port or rst_* in it? Those are fundamentally impossible in an IP rule. IP doesn't have ports, only hosts. I don't think flexresp supports ip layer rules, but even if it does, the only thing you can possibly do is icmp_host or icmp_net. Anything else such as icmp_port would have to bomb as soon as some IP packet came by that wasn't tcp or udp, such as icmp. ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- FlexResp Mr. venkat (Apr 14)
- Re: FlexResp Matt Kettler (Apr 14)