[Snort-users] Is anyone using 'react' to block the use of Gnutella?
mkettler at ...4108...
Mon Sep 23 13:28:03 EDT 2002
Sure, you'd need a flexresp enabled build of snort, but doing a react
reset_all should work most of the time.
The traffic isn't likely to be hand optimized for flexresp evasion, so it
should have a pretty low "failure to kill connection" rate. This isn't
exactly a security-critical situation, so a very small (less than 1 in
1000) failure rate is acceptable. Certainly killing 999 out of 1000 connect
attempts is going to be enough to make gnutella almost unusable.
Sounds like a great job for flexresp.. it's the kind of task it seems best
cut out for.
At 02:38 PM 9/23/2002 -0500, Vieth, Scott wrote:
>Since Snort can 'see' the folks who are running Gnutella, could I use
>'react' to block/disrupt/close those connections?
More information about the Snort-users