[Snort-users] Documentation suggestions regarding the unreliability flexresp.

Jeff Nathan jeff at ...950...
Mon Jul 28 12:45:18 EDT 2003


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

When flexresp2 is ready, it will be accompanied by new documentation.

- -Jeff

- --On Friday, July 25, 2003 13:17 -0400 Matt Kettler <mkettler at ...4108...> 
wrote:

> It seems to be a common misunderstanding that flexresp actually works
> well and is usable as a reliable alternative to a firewall.
>
> Certainly nobody that understands how flexresp works would be foolish
> enough to think of it as a firewall alternative, but the documentation
> that comes with snort fails to make it clear that flexresp can be
> bypassed 100% of the time by a skilled attacker, and that it may not even
> work relaibly against "routine" traffic.
>
> I'd suggest that all the documentation regarding flexresp be updated to
> have at least some mention of the fact that it is unreliable.
>
> docs/README.FLEXRESP is a VERY obvious target that should have a mention
> of this. I'd also suggest that the "react:block" in the web documentation
> have some mention of it.
>
> http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.24
>
> Something along the lines of this would be appropriate:
>
> "It should be noted that the Flexresp mechanism is not a reliable one and
> should be treated as a "last resort" type option. If a skilled attacker
> is aware that flexresp is being used he can craft his packets to be able
> to evade flexresp with near 100% chance of success. Thus in the case of a
> skilled attacker flexresp will merely slow the attacker down by thwarting
> his "first try". This might give you some time you have to respond before
> he modifies his attack to get around it, but it will not stop a carefully
> crafted second try at the attack. Even in the case of an automated
> script, there is always a small chance that flexresp will fail to be able
> to close the connection before it is too late, so it cannot be relied
> upon as a sole defense against worms and scripts either.".
>
>
>
> -------------------------------------------------------
> This SF.Net email sponsored by: Free pre-built ASP.NET sites including
> Data Reports, E-commerce, Portals, and Forums are available now.
> Download today and enter to win an XBOX or Visual Studio .NET.
> http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/
> 01 _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



http://cerberus.sourcefire.com/~jeff       (gpg key available)
Great spirits have always encountered violent opposition from
mediocre minds.   - Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)

iD8DBQE/JX0WEqr8+Gkj0/0RAncBAJ9fdM65V686lgFOl4oKJIFDpHO5yQCgk++G
WIbxiM+s26MCVPVvMSxiUDY=
=3Ai/
-----END PGP SIGNATURE-----





More information about the Snort-users mailing list