[Snort-users] Flex-Response, anyone using it?

CGhercoias at ...8619... CGhercoias at ...8619...
Thu May 20 11:08:11 EDT 2004


All,

I'm receiving all the emails from this list and I'm reading pretty much
all of them. I do not always post answers to the questions because I
feel that I do not have enough knowledge to teach others, although I'm
using snort for quite some years already. 

I do not know personally Paul Schmehl, but I had a chance to hear him
speak at the Information Security Decisions last month in New York city.
I would never call him or anybody else in such way that this individual
-- IDont ThinkSo [billygates_sux at ...125...] -- called him. 
Individual, which is not having even the courage to sign with his real
name or send the email from a real email address.

These kind of people are the sort we are fighting against on daily
basis, these are the ones which tomorrow might try to hack into our
systems.
This individual does not belong to the professionals, he is not mature
enough. He is not knowledgeable enough to be allowed to speak publicly.

The admins of lists.sourceforge.net should remove his alias from any/all
lists.

***************************
>>And though I said I don't recommend it, you could write a snort rule
that uses regex to detect the string "On Behalf Of Paul Schmehl" and 
reset that waste of bandwidth! 
***************************

Here you go:

alert any $EXTERNAL_NET any -> $HOME_NET 25 ( sid: 1000589; rev: 1; msg:
"Drop Email -- Waste of time"; content: "billygates_sux at ...125...";
content: "IDont ThinkSo"; resp: rst_snd,icmp_all; classtype:
bothering-activity;) 

Any emails from "billygates_sux at ...125..." will go directly to >
/dev/null.

Thank you,
___________________________
Catalin A. Ghercoias
WEB/Network Security Administrator 




-----Original Message-----
From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of IDont
ThinkSo
Sent: Wednesday, May 19, 2004 4:37 PM
To: halljer at ...8709...
Cc: snort-users at lists.sourceforge.net
Subject: FW: [Snort-users] Flex-Response, anyone using it?

   Paul's an idiot!  As usual nothing of value in his writing.

   Flexresp works well, as all it needs to do is send out a reset packet
(or 
icmp unreachable or such) if a certain condition is met.  And yes, if
you 
write a rule to send a reset packet when syn packet on port 25 arrives
it 
will send one out and block the connection.  HOWEVER, you should not use

flexresp with normal snort smtp rules, as mail servers do not like 
connections being reset while it is receiving a msg.  As paul only uses
this 
only to torment admins with less knowledge than him (I don't know how
that 
is possible) he cannot testify to its use in a real environment.  If
they 
were smarter they might just track his ass down and beat him
senselessly.

   Flexresp is certainly not an IPS solution, but its nice on a limited 
scale.   And though I said I don't recommend it, you could write a snort

rule that uses regex to detect the string "On Behalf Of Paul Schmehl"
and 
reset that waste of bandwidth!



-----Original Message-----
From: snort-users-admin at lists.sourceforge.net 
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Paul
Schmehl
Sent: Wednesday, May 19, 2004 4:04 PM
To: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Flex-Response, anyone using it?

--On Wednesday, May 19, 2004 10:07:45 AM -0500 Dusty Hall 
<halljer at ...8709...> wrote:

>I'm curious to know how many people, if any, are using Flex-Response
and 
>what kind of results they have seen?  I've been using it for some P2P
rules 
>but haven't actually tested it from the client.  Any information would
be 
>greatly appreciated.
>
There's been a lot of discussion on this list about not depending upon 
flexresp to do much for you.

Having said that, I can tell you from personal experience that it will 
completely prevent communication between two smtp servers.

So I would say it works pretty well.  Whether or not it will actually 
prevent an attack, I can't say from personal experience, but I *can*
tell 
you it will irritate the hell out of an admin trying to track down a
failed 
connections problem.  :-)

And yes, we still use it.

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/


-------------------------------------------------------
This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now
for 
SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_________________________________________________________________
Get 200+ ad-free, high-fidelity stations and LIVE Major League Baseball 
Gameday Audio!
http://radio.msn.click-url.com/go/onm00200491ave/direct/01/



-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g.

Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list