[Snort-users] Snort+flexresp

Bamm Visscher bamm at ...539...
Wed Mar 27 05:08:04 EST 2002


There is no way to force flex-resp to be successful against HTTP. Most
of the time, the source of an HTTP connection sends five packets. Two
for establishing the session (syn then ack), and two to tear down the
session (fin/ack and ack). Plus one that contains the GET/POST/etc
request (usually a push/ack). It is impossible for flex-resp to kill
this session before the dest gets the GET/POST/etc, and thus it is
impossible to create a rule to prevent the server from processing the
GET/POST/etc request. If for some reason, the GET/POST/etc contains so
much data that it is spread across multiple packets, then you may have a
slim chance at killing the session before the dest processes the request
(may the network lag be with you).

The dest is going to send as many packets as it takes to return the info
requested, but killing the connection at that time is almost pointless
since the server has already processed the perps request/command. At
best you might prevent the perp from seeing all the results of a
directory listing.

BTW, this is not a snort specific problem. It affect every IDS using
tcp-resets to kill connections.


On Wed, 2002-03-27 at 00:36, Ronneil Camara wrote:
> Hi Bamm,
> I got impressed on how you answered your every post on this thread.
> So now, what can you suggest me so that flex-resp will be successful on
> killing connections let say for http?
> Thank you very much.
> Neil

More information about the Snort-users mailing list