[Snort-devel] IDS fingerprinting techniques & Snort's FlexResponse...

Brian Caswell bmc at ...227...
Wed Aug 22 23:20:56 EDT 2001


tlewis at ...255... wrote:
> Personally, I think that the answer is to drop packets rather than trying
> to fool the attacker into stopping.  If you had a flexible rule system,
> then you could drop packets whose ttl is >= the ttl required for it
> to get to the destination.  That way, traceroutes would go right up to
> the target of the attack and then die, with the attacker having no clue
> which box in the middle is doing the filtering.

Except in many enviorments, having a NIDS as a gateway is not practical
solution.  I don't agree with shooting down a session, but there are
cases where it is needed.

-- 
Brian Caswell
The MITRE Corporation




More information about the Snort-devel mailing list