[Snort-users] Re: [snort] Multiple Interfaces and a /16

Jeff Nathan jeff at ...2...
Thu Jul 13 15:28:21 EDT 2000


That's a more than fair diagnosis of one of the results of using a
stealth interface.  Personally I don't agree with the school of thought
that says an IDS should operate outside of the realm of detection so I'm
very hesitant to use active response.

-Jeff

Erich Meier wrote:
> 
> Alerts will work without problems. But the flexible response stuff will break.
> Remember, snort pretends to be the target machine when sending i.e. a TCP RST.
> The only case that I can think of where that would work is an IPoverIP (i.e.,
> cisco's GRE) tunnel. The code in response.c doesn't look like it could handle
> a special port on such a tunnel interface, though.
> 
> Erich

-- 
Jeff Nathan                          <jeff at ...2...>
Core R&D                         http://www.hiverworld.com
Hiverworld, Inc.       Continuous Adaptive Risk Management





More information about the Snort-users mailing list