[Snort-users] Documentation suggestions regarding the unreliability flexresp.
mkettler at ...4108...
Fri Jul 25 10:20:07 EDT 2003
It seems to be a common misunderstanding that flexresp actually works well
and is usable as a reliable alternative to a firewall.
Certainly nobody that understands how flexresp works would be foolish
enough to think of it as a firewall alternative, but the documentation that
comes with snort fails to make it clear that flexresp can be bypassed 100%
of the time by a skilled attacker, and that it may not even work relaibly
against "routine" traffic.
I'd suggest that all the documentation regarding flexresp be updated to
have at least some mention of the fact that it is unreliable.
docs/README.FLEXRESP is a VERY obvious target that should have a mention of
this. I'd also suggest that the "react:block" in the web documentation have
some mention of it.
Something along the lines of this would be appropriate:
"It should be noted that the Flexresp mechanism is not a reliable one and
should be treated as a "last resort" type option. If a skilled attacker is
aware that flexresp is being used he can craft his packets to be able to
evade flexresp with near 100% chance of success. Thus in the case of a
skilled attacker flexresp will merely slow the attacker down by thwarting
his "first try". This might give you some time you have to respond before
he modifies his attack to get around it, but it will not stop a carefully
crafted second try at the attack. Even in the case of an automated script,
there is always a small chance that flexresp will fail to be able to close
the connection before it is too late, so it cannot be relied upon as a sole
defense against worms and scripts either.".
More information about the Snort-users