[Snort-users] How to make flexresp respond on all existing rules ?

Gary Flynn flynngn at ...6811...
Thu Jul 10 19:17:12 EDT 2003


Rich Adamson wrote:

>Hopefully you've read the archives to know that flexresp can lead you into
>a false sense of security as not all intruders actually listen for whatever
>flexresp might be sending. 
>
Also remember that an HTTP connection payload can consist of one packet 
beyond the initial handshake. And
that one packet can do the damage. Resetting the connection after you 
see the signature and the
packet is delivered won't help. Only something like Hogwash or another 
inline IDS that drops
the packet before it gets to the target would offer protection.







More information about the Snort-users mailing list