FW: [Snort-users] Flex-Response, anyone using it?

IDont ThinkSo billygates_sux at ...125...
Thu May 20 08:34:04 EDT 2004

   Paul's an idiot!  As usual nothing of value in his writing.

   Flexresp works well, as all it needs to do is send out a reset packet (or 
icmp unreachable or such) if a certain condition is met.  And yes, if you 
write a rule to send a reset packet when syn packet on port 25 arrives it 
will send one out and block the connection.  HOWEVER, you should not use 
flexresp with normal snort smtp rules, as mail servers do not like 
connections being reset while it is receiving a msg.  As paul only uses this 
only to torment admins with less knowledge than him (I don't know how that 
is possible) he cannot testify to its use in a real environment.  If they 
were smarter they might just track his ass down and beat him senselessly.

   Flexresp is certainly not an IPS solution, but its nice on a limited 
scale.   And though I said I don't recommend it, you could write a snort 
rule that uses regex to detect the string "On Behalf Of Paul Schmehl" and 
reset that waste of bandwidth!

-----Original Message-----
From: snort-users-admin at lists.sourceforge.net 
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Paul Schmehl
Sent: Wednesday, May 19, 2004 4:04 PM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Flex-Response, anyone using it?

--On Wednesday, May 19, 2004 10:07:45 AM -0500 Dusty Hall 
<halljer at ...8709...> wrote:

>I'm curious to know how many people, if any, are using Flex-Response and 
>what kind of results they have seen?  I've been using it for some P2P rules 
>but haven't actually tested it from the client.  Any information would be 
>greatly appreciated.
There's been a lot of discussion on this list about not depending upon 
flexresp to do much for you.

Having said that, I can tell you from personal experience that it will 
completely prevent communication between two smtp servers.

So I would say it works pretty well.  Whether or not it will actually 
prevent an attack, I can't say from personal experience, but I *can* tell 
you it will irritate the hell out of an admin trying to track down a failed 
connections problem.  :-)

And yes, we still use it.

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member

This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for 
SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Get 200+ ad-free, high-fidelity stations and LIVE Major League Baseball 
Gameday Audio! http://radio.msn.click-url.com/go/onm00200491ave/direct/01/

More information about the Snort-users mailing list