FW: [Snort-users] Flex-Response, anyone using it?
billygates_sux at ...125...
Thu May 20 08:34:04 EDT 2004
Paul's an idiot! As usual nothing of value in his writing.
Flexresp works well, as all it needs to do is send out a reset packet (or
icmp unreachable or such) if a certain condition is met. And yes, if you
write a rule to send a reset packet when syn packet on port 25 arrives it
will send one out and block the connection. HOWEVER, you should not use
flexresp with normal snort smtp rules, as mail servers do not like
connections being reset while it is receiving a msg. As paul only uses this
only to torment admins with less knowledge than him (I don't know how that
is possible) he cannot testify to its use in a real environment. If they
were smarter they might just track his ass down and beat him senselessly.
Flexresp is certainly not an IPS solution, but its nice on a limited
scale. And though I said I don't recommend it, you could write a snort
rule that uses regex to detect the string "On Behalf Of Paul Schmehl" and
reset that waste of bandwidth!
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Paul Schmehl
Sent: Wednesday, May 19, 2004 4:04 PM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Flex-Response, anyone using it?
--On Wednesday, May 19, 2004 10:07:45 AM -0500 Dusty Hall
<halljer at ...8709...> wrote:
>I'm curious to know how many people, if any, are using Flex-Response and
>what kind of results they have seen? I've been using it for some P2P rules
>but haven't actually tested it from the client. Any information would be
There's been a lot of discussion on this list about not depending upon
flexresp to do much for you.
Having said that, I can tell you from personal experience that it will
completely prevent communication between two smtp servers.
So I would say it works pretty well. Whether or not it will actually
prevent an attack, I can't say from personal experience, but I *can* tell
you it will irritate the hell out of an admin trying to track down a failed
connections problem. :-)
And yes, we still use it.
Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for
SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
Get 200+ ad-free, high-fidelity stations and LIVE Major League Baseball
Gameday Audio! http://radio.msn.click-url.com/go/onm00200491ave/direct/01/
More information about the Snort-users