[Snort-users] Flex-Response, anyone using it?

Jason security at ...5028...
Thu May 20 11:51:01 EDT 2004

James Riden wrote:

> Jason <security at ...5028...> writes:
>>It will be a few weeks before I can get around to testing it for this
>>case so if anyone wants to give it a try and confirm functionality
>>"that would be great".
> [...]

This is because your management interface is on a network that can route
the forged packets to the destination. The case I was referring to is
using this method to inject traffic onto the wire in the same location
as the sensing interface or into a location where the forged packets can 
be handled properly thus ensuring there is a routable destination.
I think it might also give a better chance of resetting the connection
before the offending packet reaches the destination.

Like in this network

    |<-- inject
    |      |
Firewall  |
    |      |
    | <-- DMZ Sensor
    |      |    |
Firewall  |    |
    |      |    | <--- dedicated mgmt
    |<-- inject |
    |           |
Internal   Firewall
    |           |

> It just seemed to work OK out of the box, with minimal fiddling. No
> traffic is appearing on the wrong interfaces, etc.
>>Don't forget... When you report your test results back to the list do
>>not forget that the TPS report has a new format, didn't you read the
> Er, sorry?

Every time I hear or say "that would be great" I am obligated to make a
reference to the TPS report from the movie Office Space


More information about the Snort-users mailing list