[Snort-users] Re; Flex-Response, anyone using it?

Richard Bejtlich taosecurity at ...11827...
Wed May 19 11:43:02 EDT 2004

Dusty Hall wrote:

I'm curious to know how many people, if any, are using Flex-Response and
what kind of results they have seen?

I've used flexible response to knock down connections to ports 135,
139, 445, and 1433 TCP in short term incident response containment
situations.  It's no substitute for access control via firewall rule,
but it's better than nothing.

I tell Snort to watch for packets with A+ set so it has multiple
chances to tear down the session, starting with the SYN ACK response
from the target.

In some cases the tear down is immediate, and it others the attacker
is still able to deliver a payload.

Don't both using flexible response with HTTP or other short-lived sessions.



More information about the Snort-users mailing list