[Snort-users] FlexResp

Matt Kettler mkettler at ...4108...
Thu Apr 14 09:17:03 EDT 2005


Mr. venkat wrote:

> Hi all,
> I am using snort on windows.
> I want to add flexresp abilities to snort.
>
> I have added resp:rst_all; to tcp rules and resp:icmp_port,icmp_host;
> to udp rules.
> these settings are added to every rule.
> Is this correct way?

Probably not. You added it to EVERY rule? Did you carefully consider all
the false positive cases of each and every rule?

Some snort rules are good block criteria. Others are more intended to be
used for informational purposes and don't signify any malicious intent
whatsoever, but can be useful when correlated against an attack that
follows. There are also plenty that are in the grey area of "this looks
a little odd but could be legitimate".

> Also when I try to add any of these to ip protocol rule snort exiting.
> Why it is exiting?
> Can't we add flexresp to ip rule? 

What did you try to have flexresp do in your ip rule? did it have
icmp_port or rst_* in it? Those are fundamentally impossible in an IP
rule. IP doesn't have ports, only hosts.

I don't think flexresp supports ip layer rules, but even if it does, the
only thing you can possibly do is icmp_host or icmp_net. Anything else
such as icmp_port would have to bomb as soon as some IP packet came by
that wasn't tcp or udp, such as icmp.








More information about the Snort-users mailing list