[Snort-users] TCP Reset
FKnobbe at ...649...
Sat May 19 15:49:18 EDT 2001
-----BEGIN PGP SIGNED MESSAGE-----
> -----Original Message-----
> From: michael.porter at ...1284...
> [mailto:michael.porter at ...1284...] Sent: Saturday, May 19, 2001
> 2:51 PM
> What does the group think of the benefits of killing TCP
> connections, as
> available in FLEXRESP, or even the Tcpkill feature in ISS
Personally, I don't like it and don't use it. I like to design IDS
implementations in such a way that it is impossible to establish 'a
dialog' with the IDS box from the dirty network. In other words, I
like to have them only being able to sniff traffic, but not send
traffic (using taps and 'read-only' cables). Any management and
communication that the IDS box sends, should occur over a separate,
I do like the ability for IDS systems to take an active role and
respond actively (hence my plug-in that reconfigures Chkpt
firewalls). But in this case there is no data sent to the intruder,
the firewall will just filter him out. I don't like sending packets
to someone trying to break into my network.
jmpo (Just my personal opinion)
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME encrypted email preferred.
-----END PGP SIGNATURE-----
More information about the Snort-users