[Snort-users] Is anyone using 'react' to block the use of Gnutella?

Matt Kettler mkettler at ...4108...
Mon Sep 23 13:28:03 EDT 2002


Sure, you'd need a flexresp enabled build of snort, but doing a react 
reset_all should work most of the time.

The traffic isn't likely to be hand optimized for flexresp evasion, so it 
should have a pretty low "failure to kill connection" rate. This isn't 
exactly a security-critical situation, so a very small (less than 1 in 
1000) failure rate is acceptable. Certainly killing 999 out of 1000 connect 
attempts is going to be enough to make gnutella almost unusable.

Sounds like a great job for flexresp.. it's the kind of task it seems best 
cut out for.




At 02:38 PM 9/23/2002 -0500, Vieth, Scott wrote:
>Since Snort can 'see' the folks who are running Gnutella, could I use
>'react' to block/disrupt/close those connections?





More information about the Snort-users mailing list