[Snort-users] How to make flexresp respond on all existing rules ?
flynngn at ...6811...
Thu Jul 10 19:17:12 EDT 2003
Rich Adamson wrote:
>Hopefully you've read the archives to know that flexresp can lead you into
>a false sense of security as not all intruders actually listen for whatever
>flexresp might be sending.
Also remember that an HTTP connection payload can consist of one packet
beyond the initial handshake. And
that one packet can do the damage. Resetting the connection after you
see the signature and the
packet is delivered won't help. Only something like Hogwash or another
inline IDS that drops
the packet before it gets to the target would offer protection.
More information about the Snort-users