[Snort-users] Flex-Response, anyone using it?

Jason Haar Jason.Haar at ...294...
Wed May 19 17:21:51 EDT 2004

On Wed, May 19, 2004 at 03:04:28PM -0500, Paul Schmehl wrote:
> >I'm curious to know how many people, if any, are using Flex-Response and
> >what kind of results they have seen?  I've been using it for some P2P
> >rules but haven't actually tested it from the client.  Any information
> >would be greatly appreciated.

We use it and it works well. We've turned it on for specific rules - such as
BLASTER and Sasser exploits. 

However you much appreciate it relies VERY much on your network
configuration. All TCP RSETs are sent from eth0 (your primary Ethernet
interface) with spoofed IP addresses. So you network has to be configured so
as to allow those packets to reach the actual client and server that it is
trying to break the connection between. If there is a firewall/NAT router of
any description between those packets and the end-servers, then it is likely
to FAIL (as they will block this weird packet showing up from an interface
that wasn't involved in the original TCP stream).

But if your network topology is up to it, and the thing you are trying to
break is "long lived" enough to be ruined by the RESET, then it works well.

Give it a go, we specifically put a "test Active IDS" rule in so as to be
able to test the effectiveness of flexresp on newly installed Snort boxes: e.g.

alert tcp any any -> $HOME_NET 80 (msg:"Access denied by Active IDS \
 test rule!"; uricontent:"/active-rule-SDF32434DFDF.txt";resp: rst_all;)

(i.e. we just have to go to any internal Web site that flows past an IDS to
test it - you should get an empty page/broken page instead of a "404 not
found" error page)


Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

More information about the Snort-users mailing list