[Snort-users] drop rules

Matt Kettler mkettler at ...4108...
Mon Aug 12 09:05:02 EDT 2002


Drop rules are for tools like hogwash. Bear in mind that hogwash/drop rule 
type setups can *only* work if your snort box is an in-line two or more 
interface router, and not just a box on the side acting as a one interface 
sniffer.

see: http://hogwash.sourceforge.net/

Once hogwash decides to drop a packet, there's little or no chance of it 
passing through the firewall.

Resp rules are for flexresp, an add-on feature that ships with snort but 
needs to be enabled at compiletime. Flexresp can be used in a sniffer type 
configuration and does not need to be part of an in-line firewall, but does 
require that your sniffer connection be able to send packets (no one-way 
taps or cables). However due to the nature of reset spoofing, flexresp 
connection resets will never be completely reliable (ie: they can fail, 
particularly if your attacker is aware of the use of flexresp and is 
actively trying to advance the sequence number before flexresp can react.)


At 06:18 AM 8/12/2002 -0700, charella constansia wrote:
>please correct me if I'm wrong!
>
>I thought that the rule action drop didn't exists, or
>did I miss something,
>If you want to drop a connectio you have to use the
>resp option or can you use the drop option.
>
>thanks sharella
>
>__________________________________________________
>Do You Yahoo!?
>HotJobs - Search Thousands of New Jobs
>http://www.hotjobs.com
>
>
>-------------------------------------------------------
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>http://thinkgeek.com/sf
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list