[Snort-users] react: block

Matt Kettler mkettler at ...4108...
Fri Jul 25 10:04:08 EDT 2003


At 06:12 PM 7/25/2003 +0800, Edmund wrote:
>Isn't the "react: block;" option supposed to block all further
>attempts at sending/receiving information based on the snort rule?
>
>Here's an attempt to block Google's image:
>
>alert tcp any 80 <> any any ( content: "/images/hp"; \
>                               msg: "Blocked Google image" \
>                               react: block;)
>
>The message is displayed in the log but the image still goes
>through.  Did I misunderstand something rather important regarding
>this feature?
>
>Any help appreciated.


Heh, "react: block" basically causes snort to use flexresp to try to reset 
the connection.

Of course, if the transfer consists only of one packet, resetting the 
connection won't matter.

Also in the case of very small http'ed images and snort running stream4, 
you won't likely try to issue a reset until the image is done anyway.


Besides.. any skilled attacker can bypass flexresp at will with great ease. 
IMO, you'd be an absolute fool to use flexresp with any expectations of it 
working well.







More information about the Snort-users mailing list