[Snort-users] Documentation suggestions regarding the unreliability flexresp.

Jon Baer security at ...9153...
Fri Jul 25 11:11:04 EDT 2003


i agree ... but in which cases do a flexresp even make sense to use?
honeypot plugins?

im not actually using it but toying w/ it and an open dhcp server on the
network to make some type of deterence possible.  it would be nice to have
the ability to respond w/ur own crafted packets for other things but im sure
thats why the mechanism was implemented to begin with, its just that u can't
do much with it now as is.

- jon

pgp key: http://www.jonbaer.net/jonbaer.asc
fingerprint: F438 A47E C45E 8B27 F68C 1F9B 41DB DB8B 9A0C AF47


----- Original Message ----- 
From: "Matt Kettler" <mkettler at ...4108...>
To: <snort-users at lists.sourceforge.net>
Sent: Friday, July 25, 2003 10:17 AM
Subject: [Snort-users] Documentation suggestions regarding the unreliability
flexresp.


> It seems to be a common misunderstanding that flexresp actually works well
> and is usable as a reliable alternative to a firewall.
>
> Certainly nobody that understands how flexresp works would be foolish
> enough to think of it as a firewall alternative, but the documentation
that
> comes with snort fails to make it clear that flexresp can be bypassed 100%
> of the time by a skilled attacker, and that it may not even work relaibly
> against "routine" traffic.
>
> I'd suggest that all the documentation regarding flexresp be updated to
> have at least some mention of the fact that it is unreliable.
>
> docs/README.FLEXRESP is a VERY obvious target that should have a mention
of
> this. I'd also suggest that the "react:block" in the web documentation
have
> some mention of it.
>
> http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.24
>
> Something along the lines of this would be appropriate:
>
> "It should be noted that the Flexresp mechanism is not a reliable one and
> should be treated as a "last resort" type option. If a skilled attacker is
> aware that flexresp is being used he can craft his packets to be able to
> evade flexresp with near 100% chance of success. Thus in the case of a
> skilled attacker flexresp will merely slow the attacker down by thwarting
> his "first try". This might give you some time you have to respond before
> he modifies his attack to get around it, but it will not stop a carefully
> crafted second try at the attack. Even in the case of an automated script,
> there is always a small chance that flexresp will fail to be able to close
> the connection before it is too late, so it cannot be relied upon as a
sole
> defense against worms and scripts either.".
>
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by: Free pre-built ASP.NET sites including
> Data Reports, E-commerce, Portals, and Forums are available now.
> Download today and enter to win an XBOX or Visual Studio .NET.
>
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>





More information about the Snort-users mailing list