[Snort-users] snort 2.3.3 --enable-flexresp

John C. Silvia john at ...13282...
Mon Apr 25 08:04:35 EDT 2005


Remember that the tcp resets generated by flexresp go out via the 
default route or whatever route is more appropriate.

This is very limiting, but can still be useful.  For starters, this 
means that if you have a snort setup with two interfaces - one with IP 
for management and one without for sniffing, then your detector will be 
sending out the resets on the TCP interface.

If you're huddling IDS's behind a Check Point firewall for instance, and 
you have a dedicated DMZ for the IDS's, then you must disable address 
spoofing on that interface of the check point (and deal with the griping 
and consequences) in order for FlexResp to work.

Snortsam is a better choice since it'll block at the router or firewall, 
and you don't have to turn off any anti-spoofing.  Inline is perhaps the 
best method, but carries too many risks as it can become a point of failure.

hans wrote:

>hi all 
>
>i tried the experimental feature '--enable-flexresp' for 
>compiling snort 2.3.3 on solaris 9 ( both sparc and intel plattform ) 
>
>the first tests did run well, the following rule did 
>disconnect an incomming connection immediate:
>
>alert tcp any any <> $HOME_NET 25 (msg:"HELLOon25"; resp:rst_all; )
>
>the next step was to modify this rule sligthly. the disconnect should 
>only appear, if the word "hello" was seen, with this rule: 
>
>alert tcp any any <> $HOME_NET 25 (msg:"HELLOon25"; content:"hello"; resp:rst_all; )
>
>i telnet to port 25, key in "hello"  ( knowing it's not a smtp-dialog  ) 
>and nothing happens. i get a logentry, so the rule is involved 
>if the word "hello" is seen, but no disconnect. 
>
>i searched a lot of time around the internet, but could find 
>any advice, what the problem could be. 
>
>every advice would be helpfully. 
>
>just disconnecting any incomming connection could be the idea, a 
>tcpwrapper could this job too. 
>
>
>best regards 
>hans 
>
>  
>

-- 
John C. Silvia
VP Information Systems & CTO
Cadamier Internet Security Corporation
http://www.cadamier.com
john at ...13282...
303-249-3204 cell
720-898-4872 office





More information about the Snort-users mailing list