[Snort-users] More explanation needed in Snort User Manual for "resp:"?

Matt Kettler mkettler at ...4108...
Thu Nov 6 14:12:02 EST 2003


At 03:53 PM 11/6/2003, Jason Haar wrote:
>. But this
>still seems like a bug to me, as I can't think of a reason why you would
>ever want the packet to leave through anything other than the interface it
>was seen on! [well, except one: TAPs - but that's pretty special case]

>Am I missing something here?

Yes, the fact that if you're doing TCP resets, you really want to send a 
tcp reset to the destination of the attack, not the source. This may or may 
not be the same interface that the attack came in on, particularly if your 
snort sensor is running on a routing box.

And taps really aren't that special of a case, or at least shouldn't be. Of 
course, I also suspect most snort users aren't careful enough to be running 
snort chroot/setuid either (sigh).





More information about the Snort-users mailing list