[Snort-devel] IDS fingerprinting techniques & Snort's FlexResponse...
bmc at ...227...
Wed Aug 22 23:20:56 EDT 2001
tlewis at ...255... wrote:
> Personally, I think that the answer is to drop packets rather than trying
> to fool the attacker into stopping. If you had a flexible rule system,
> then you could drop packets whose ttl is >= the ttl required for it
> to get to the destination. That way, traceroutes would go right up to
> the target of the attack and then die, with the attacker having no clue
> which box in the middle is doing the filtering.
Except in many enviorments, having a NIDS as a gateway is not practical
solution. I don't agree with shooting down a session, but there are
cases where it is needed.
The MITRE Corporation
More information about the Snort-devel