[Snort-users] Documentation suggestions regarding the unreliability flexresp.

Jon Baer security at ...9153...
Fri Jul 25 11:11:04 EDT 2003

i agree ... but in which cases do a flexresp even make sense to use?
honeypot plugins?

im not actually using it but toying w/ it and an open dhcp server on the
network to make some type of deterence possible.  it would be nice to have
the ability to respond w/ur own crafted packets for other things but im sure
thats why the mechanism was implemented to begin with, its just that u can't
do much with it now as is.

- jon

pgp key: http://www.jonbaer.net/jonbaer.asc
fingerprint: F438 A47E C45E 8B27 F68C 1F9B 41DB DB8B 9A0C AF47

----- Original Message ----- 
From: "Matt Kettler" <mkettler at ...4108...>
To: <snort-users at lists.sourceforge.net>
Sent: Friday, July 25, 2003 10:17 AM
Subject: [Snort-users] Documentation suggestions regarding the unreliability

> It seems to be a common misunderstanding that flexresp actually works well
> and is usable as a reliable alternative to a firewall.
> Certainly nobody that understands how flexresp works would be foolish
> enough to think of it as a firewall alternative, but the documentation
> comes with snort fails to make it clear that flexresp can be bypassed 100%
> of the time by a skilled attacker, and that it may not even work relaibly
> against "routine" traffic.
> I'd suggest that all the documentation regarding flexresp be updated to
> have at least some mention of the fact that it is unreliable.
> docs/README.FLEXRESP is a VERY obvious target that should have a mention
> this. I'd also suggest that the "react:block" in the web documentation
> some mention of it.
> http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.24
> Something along the lines of this would be appropriate:
> "It should be noted that the Flexresp mechanism is not a reliable one and
> should be treated as a "last resort" type option. If a skilled attacker is
> aware that flexresp is being used he can craft his packets to be able to
> evade flexresp with near 100% chance of success. Thus in the case of a
> skilled attacker flexresp will merely slow the attacker down by thwarting
> his "first try". This might give you some time you have to respond before
> he modifies his attack to get around it, but it will not stop a carefully
> crafted second try at the attack. Even in the case of an automated script,
> there is always a small chance that flexresp will fail to be able to close
> the connection before it is too late, so it cannot be relied upon as a
> defense against worms and scripts either.".
> -------------------------------------------------------
> This SF.Net email sponsored by: Free pre-built ASP.NET sites including
> Data Reports, E-commerce, Portals, and Forums are available now.
> Download today and enter to win an XBOX or Visual Studio .NET.
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

More information about the Snort-users mailing list