[Snort-users] Is anyone using 'react' to block the use of Gnutella?

Matt Kettler mkettler at ...4108...
Mon Sep 23 15:14:10 EDT 2002


Even if it was a "dirty" catch all, resetting the connection at any point 
in the connection will kill it.. really, all of the "react" keyword actions 
try to terminate the connection. (either using spoofed ICMP or spoofed tcp RST)

At 04:02 PM 9/23/2002 -0600, hackerwacker wrote:
>I had not realized he was talking about RST's for initial gets, as opposed
>to a more dirty catch all rule for Gnutella.
>----- Original Message -----
>From: "Matt Kettler" <mkettler at ...4108...>
>To: <snort-users at lists.sourceforge.net>
>Sent: Monday, September 23, 2002 3:32 PM
>Subject: Re: [Snort-users] Is anyone using 'react' to block the use of
>Gnutella?
>
>
> > Hmm, a packet storm? Is Gnutella somehow particularly ill-behaved and not
> > using the OS's IP stack (raw socket level interface, as a P2P app? evil..)
> >
> > TCP is pretty well behaved about this kind of thing. I'd like to see how
> > this properly amplifies or sustains in order to act as a storm.
> >
> >
> > At 02:22 PM 9/23/2002 -0600, hackerwacker wrote:
> > >NOT advised. Unless you want a packet storm.
> >
> >
> >





More information about the Snort-users mailing list