[Snort-users] drop rules
mkettler at ...4108...
Mon Aug 12 09:05:02 EDT 2002
Drop rules are for tools like hogwash. Bear in mind that hogwash/drop rule
type setups can *only* work if your snort box is an in-line two or more
interface router, and not just a box on the side acting as a one interface
Once hogwash decides to drop a packet, there's little or no chance of it
passing through the firewall.
Resp rules are for flexresp, an add-on feature that ships with snort but
needs to be enabled at compiletime. Flexresp can be used in a sniffer type
configuration and does not need to be part of an in-line firewall, but does
require that your sniffer connection be able to send packets (no one-way
taps or cables). However due to the nature of reset spoofing, flexresp
connection resets will never be completely reliable (ie: they can fail,
particularly if your attacker is aware of the use of flexresp and is
actively trying to advance the sequence number before flexresp can react.)
At 06:18 AM 8/12/2002 -0700, charella constansia wrote:
>please correct me if I'm wrong!
>I thought that the rule action drop didn't exists, or
>did I miss something,
>If you want to drop a connectio you have to use the
>resp option or can you use the drop option.
>Do You Yahoo!?
>HotJobs - Search Thousands of New Jobs
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
More information about the Snort-users