[Snort-users] react: block
jeff at ...950...
Mon Jul 28 13:15:04 EDT 2003
-----BEGIN PGP SIGNED MESSAGE-----
- --On Friday, July 25, 2003 13:02 -0400 Matt Kettler <mkettler at ...4108...>
> Heh, "react: block" basically causes snort to use flexresp to try to
> reset the connection.
The keywords react and respond use different code.
> Of course, if the transfer consists only of one packet, resetting the
> connection won't matter.
> Also in the case of very small http'ed images and snort running stream4,
> you won't likely try to issue a reset until the image is done anyway.
> Besides.. any skilled attacker can bypass flexresp at will with great
> ease. IMO, you'd be an absolute fool to use flexresp with any
> expectations of it working well.
Rarely can things be painted with such a broad brush. There are many
shades of gray.
It's simply a race. Passive sensors are at an inherent disadvantage when
it comes to knocking down a connection as is the case with active response
. A passive sensor will realistically have almost no chance of knocking
down the connection on the target IP stack by sending a single packet. The
odds of winning the race improve slightly when it comes to winning the race
by resetting the sending IP stack with a single packet. When it comes to
the react keyword the odds of success are much different. The react
keyword implements HTTP blocking and must do a great deal more work than
the active response implemented within the resp keyword.
By sending several packets to both the target and the sender, the odds of
successful active response are much better. Also, attempts to
desynchronize a TCP connection in addition to trying to knock it down are
http://cerberus.sourcefire.com/~jeff (gpg key available)
Great spirits have always encountered violent opposition from
mediocre minds. - Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)
-----END PGP SIGNATURE-----
More information about the Snort-users