[Snort-users] react: block

Jeff Nathan jeff at ...950...
Mon Jul 28 13:15:04 EDT 2003

Hash: SHA1

- --On Friday, July 25, 2003 13:02 -0400 Matt Kettler <mkettler at ...4108...> 
> Heh, "react: block" basically causes snort to use flexresp to try to
> reset the connection.

The keywords react and respond use different code.

> Of course, if the transfer consists only of one packet, resetting the
> connection won't matter.
> Also in the case of very small http'ed images and snort running stream4,
> you won't likely try to issue a reset until the image is done anyway.
> Besides.. any skilled attacker can bypass flexresp at will with great
> ease. IMO, you'd be an absolute fool to use flexresp with any
> expectations of it working well.

Rarely can things be painted with such a broad brush.  There are many 
shades of gray.

It's simply a race.  Passive sensors are at an inherent disadvantage when 
it comes to knocking down a connection as is the case with active response 
.  A passive sensor will realistically have almost no chance of knocking 
down the connection on the target IP stack by sending a single packet.  The 
odds of winning the race improve slightly when it comes to winning the race 
by resetting the sending IP stack with a single packet.  When it comes to 
the react keyword the odds of success are much different.  The react 
keyword implements HTTP blocking and must do a great deal more work than 
the active response implemented within the resp keyword.

By sending several packets to both the target and the sender, the odds of 
successful active response are much better.  Also, attempts to 
desynchronize a TCP connection in addition to trying to knock it down are 
potentially viable.

- -Jeff

- --
http://cerberus.sourcefire.com/~jeff       (gpg key available)
Great spirits have always encountered violent opposition from
mediocre minds.   - Albert Einstein
Version: GnuPG v1.2.2 (Darwin)


More information about the Snort-users mailing list