[Snort-users] Documentation suggestions regarding the unreliability flexresp.
security at ...9153...
Fri Jul 25 11:11:04 EDT 2003
i agree ... but in which cases do a flexresp even make sense to use?
im not actually using it but toying w/ it and an open dhcp server on the
network to make some type of deterence possible. it would be nice to have
the ability to respond w/ur own crafted packets for other things but im sure
thats why the mechanism was implemented to begin with, its just that u can't
do much with it now as is.
pgp key: http://www.jonbaer.net/jonbaer.asc
fingerprint: F438 A47E C45E 8B27 F68C 1F9B 41DB DB8B 9A0C AF47
----- Original Message -----
From: "Matt Kettler" <mkettler at ...4108...>
To: <snort-users at lists.sourceforge.net>
Sent: Friday, July 25, 2003 10:17 AM
Subject: [Snort-users] Documentation suggestions regarding the unreliability
> It seems to be a common misunderstanding that flexresp actually works well
> and is usable as a reliable alternative to a firewall.
> Certainly nobody that understands how flexresp works would be foolish
> enough to think of it as a firewall alternative, but the documentation
> comes with snort fails to make it clear that flexresp can be bypassed 100%
> of the time by a skilled attacker, and that it may not even work relaibly
> against "routine" traffic.
> I'd suggest that all the documentation regarding flexresp be updated to
> have at least some mention of the fact that it is unreliable.
> docs/README.FLEXRESP is a VERY obvious target that should have a mention
> this. I'd also suggest that the "react:block" in the web documentation
> some mention of it.
> Something along the lines of this would be appropriate:
> "It should be noted that the Flexresp mechanism is not a reliable one and
> should be treated as a "last resort" type option. If a skilled attacker is
> aware that flexresp is being used he can craft his packets to be able to
> evade flexresp with near 100% chance of success. Thus in the case of a
> skilled attacker flexresp will merely slow the attacker down by thwarting
> his "first try". This might give you some time you have to respond before
> he modifies his attack to get around it, but it will not stop a carefully
> crafted second try at the attack. Even in the case of an automated script,
> there is always a small chance that flexresp will fail to be able to close
> the connection before it is too late, so it cannot be relied upon as a
> defense against worms and scripts either.".
> This SF.Net email sponsored by: Free pre-built ASP.NET sites including
> Data Reports, E-commerce, Portals, and Forums are available now.
> Download today and enter to win an XBOX or Visual Studio .NET.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users