[Snort-users] some basic questions

Rob Collins robtompc at ...131...
Wed Oct 3 09:57:04 EDT 2001

Hi, I'm very new to snort, and IDS.  I've read the
Snort user's manual, and it left me with a couple of
questions (to say the least).

First, the Resp keyword: according to the manual, "The
resp keyword impliments flexible (FlexResp) to traffic
that matches a Snort rule.  The FlexResp code allows
Snort to actively close offending connections. ...". 
This boggles the mind.  How does it achieve this is
the traffic is not bound for the snort boxes' own ip?
I was under the assumption IDS sits on a bus and
monitors all traffic, and that you DONT put the IDS on
the Firewall itself, but on its external bus.  Like

[ROUTER]   [IDS]   [FIREWALL]--{Int. Network}
   |         |          |
Since the IDS and Firewall are seperate, the firewall
may pass the matched packet on to the internal host. 
Snort has now way of stopping this (??).  Does sending
forged RST packets (or icmp X unreachable) from the
IDS reset the connection, is this what Snort is doing?

Secondly, the React keyword: In figure 2.21 two
examples of the react keyword are used.  The rules
alert tcp any any <> 80 \
   (content-list: "adults"; msg: "Not for children!";
   react: block, msg;)
alert tcp any any <> any \
   (content-list: "adults"; \
   msg "Adults list access attempt"; react: block;)
In the description of react, it describes the action
taken by msg and block:
block - close connection and send the visible message
msg - include the msg option text into the blocking
visible notice
So my question is, in the figure, the first rules
react clause says block, msg  -- isn't msg redundant
since block will "and send the visible message". 
Also, if I'm correct above, when is msg useful?

The Reference keyword: This is far too confusing.  I
don't understand at all how this rule works.  An
example would be wonderful.

The Classtype keyword: What does setting the classtype
for a rule accomplish?

Much thanks!

"Experience is that marvelous thing that enables you to recognize a mistake when you make it again." -- F. P. Jones

Do You Yahoo!?
Listen to your Yahoo! Mail messages from any phone.

More information about the Snort-users mailing list