[Snort-users] How to make flexresp respond on all existing rules ?

Matt Kettler mkettler at ...4108...
Thu Jul 10 18:20:39 EDT 2003


At 06:23 PM 7/10/2003 -0400, Erek Adams wrote:
> > Do I manually have to edit all rules that I want a flexresp response for
> > (by inserting the string "resp:rst_all"), or is there a way to make
> > snort make a flexresp response on any alerts (without editing the rules)
> > ?
>
>Edit the rules.

Agreed, he'll have to edit all the rules.. Even if you could do that, 
rst_all only makes sense in the context of tcp, however there are a lot of 
ip, udp, and icmp rules in the rules.

  of course, the even more important question is why on earth would you 
want to do that?

1) The default ruleset FP's a fair amount, so you'll create nuisance resets.

2) An educated attacker can _always_ bypass flexresp, so it offers no 
security against an attacker that understands how tcp reset packets work. 
Don't be fooled into thinking you can keep hackers out with flexresp, 
you'll just slow them down a little.





More information about the Snort-users mailing list