[Snort-users] Flex-Response, anyone using it?

James Riden j.riden at ...11179...
Wed May 19 18:48:02 EDT 2004


Jason Haar <Jason.Haar at ...294...> writes:

> On Wed, May 19, 2004 at 03:04:28PM -0500, Paul Schmehl wrote:
>> >I'm curious to know how many people, if any, are using Flex-Response and
>> >what kind of results they have seen?  I've been using it for some P2P
>> >rules but haven't actually tested it from the client.  Any information
>> >would be greatly appreciated.
>
> We use it and it works well. We've turned it on for specific rules - such as
> BLASTER and Sasser exploits. 
>
> However you much appreciate it relies VERY much on your network
> configuration. All TCP RSETs are sent from eth0 (your primary Ethernet
> interface) with spoofed IP addresses. 

Not true on my setup; it goes on the OS routing table AFAICT. My setup
is eth0 without an IP address, hence no routes, so eth1 gets used for
flexresp traffic.

cheers,
 Jamie
-- 
James Riden / j.riden at ...11179... / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/





More information about the Snort-users mailing list