[Snort-users] Documentation suggestions regarding the unreliability flexresp.

Matt Kettler mkettler at ...4108...
Fri Jul 25 10:20:07 EDT 2003


It seems to be a common misunderstanding that flexresp actually works well 
and is usable as a reliable alternative to a firewall.

Certainly nobody that understands how flexresp works would be foolish 
enough to think of it as a firewall alternative, but the documentation that 
comes with snort fails to make it clear that flexresp can be bypassed 100% 
of the time by a skilled attacker, and that it may not even work relaibly 
against "routine" traffic.

I'd suggest that all the documentation regarding flexresp be updated to 
have at least some mention of the fact that it is unreliable.

docs/README.FLEXRESP is a VERY obvious target that should have a mention of 
this. I'd also suggest that the "react:block" in the web documentation have 
some mention of it.

http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.24

Something along the lines of this would be appropriate:

"It should be noted that the Flexresp mechanism is not a reliable one and 
should be treated as a "last resort" type option. If a skilled attacker is 
aware that flexresp is being used he can craft his packets to be able to 
evade flexresp with near 100% chance of success. Thus in the case of a 
skilled attacker flexresp will merely slow the attacker down by thwarting 
his "first try". This might give you some time you have to respond before 
he modifies his attack to get around it, but it will not stop a carefully 
crafted second try at the attack. Even in the case of an automated script, 
there is always a small chance that flexresp will fail to be able to close 
the connection before it is too late, so it cannot be relied upon as a sole 
defense against worms and scripts either.".





More information about the Snort-users mailing list