[Snort-users] Re: [snort] Multiple Interfaces and a /16
jeff at ...2...
Thu Jul 13 15:28:21 EDT 2000
That's a more than fair diagnosis of one of the results of using a
stealth interface. Personally I don't agree with the school of thought
that says an IDS should operate outside of the realm of detection so I'm
very hesitant to use active response.
Erich Meier wrote:
> Alerts will work without problems. But the flexible response stuff will break.
> Remember, snort pretends to be the target machine when sending i.e. a TCP RST.
> The only case that I can think of where that would work is an IPoverIP (i.e.,
> cisco's GRE) tunnel. The code in response.c doesn't look like it could handle
> a special port on such a tunnel interface, though.
Jeff Nathan <jeff at ...2...>
Core R&D http://www.hiverworld.com
Hiverworld, Inc. Continuous Adaptive Risk Management
More information about the Snort-users