[Snort-users] Flex-Response, anyone using it?

Jason security at ...5028...
Wed May 26 21:10:03 EDT 2004


James Riden wrote:

> Jason <security at ...5028...> writes:
> 
> 
>>It will be a few weeks before I can get around to testing it for this
>>case so if anyone wants to give it a try and confirm functionality
>>"that would be great".
> 
> [...]

This is because your management interface is on a network that can route 
the forged packets to the destination. The case I was referring to is 
using this method to inject traffic onto the wire in the same location 
as the sensing interface thus ensuring there is a routable destination. 
I think it might also give a better chance of resetting the connection 
before the offending packet reaches the destination.

Like in this network

internet
    |
  Router
    |
    |<-- inject
    |      |
Firewall  |
    |      |
    | <-- DMZ Sensor
    |      |    |
Firewall  |    |
    |      |    | <--- dedicated mgmt
    |<-- inject |
    |           |
Internal   Firewall
    |           |
    |___________|
      Computers


> 
> It just seemed to work OK out of the box, with minimal fiddling. No
> traffic is appearing on the wrong interfaces, etc.
> 
> 
>>Don't forget... When you report your test results back to the list do
>>not forget that the TPS report has a new format, didn't you read the
>>memo.
> 
> 
> Er, sorry?

Every time I hear or say "that would be great" I am obligated to make a 
reference to the TPS report from the movie Office Space

> 






More information about the Snort-users mailing list