[Snort-users] snort 2.3.3 --enable-flexresp

hans rosa.schwein at ...12989...
Wed Apr 27 15:19:10 EDT 2005


hi John 

thanks for reply
i can't follow you. why should routing or antispoofing-settings in cp 
be changed, if i only insert a  ' content:"hello"; '  in one rule. (see below)
and without this the action resp:rst_all; is o.k. and disconnects
this connection.


best regards 
hans 

-- 


On Mon, Apr 25, 2005 at 09:03:01AM -0600, John C. Silvia wrote:
> Remember that the tcp resets generated by flexresp go out via the 
> default route or whatever route is more appropriate.
> 
> This is very limiting, but can still be useful.  For starters, this 
> means that if you have a snort setup with two interfaces - one with IP 
> for management and one without for sniffing, then your detector will be 
> sending out the resets on the TCP interface.
> 
> If you're huddling IDS's behind a Check Point firewall for instance, and 
> you have a dedicated DMZ for the IDS's, then you must disable address 
> spoofing on that interface of the check point (and deal with the griping 
> and consequences) in order for FlexResp to work.
> 
> Snortsam is a better choice since it'll block at the router or firewall, 
> and you don't have to turn off any anti-spoofing.  Inline is perhaps the 
> best method, but carries too many risks as it can become a point of failure.
> 
> hans wrote:
> 
> >hi all 
> >
> >i tried the experimental feature '--enable-flexresp' for 
> >compiling snort 2.3.3 on solaris 9 ( both sparc and intel plattform ) 
> >
> >the first tests did run well, the following rule did 
> >disconnect an incomming connection immediate:
> >
> >alert tcp any any <> $HOME_NET 25 (msg:"HELLOon25"; resp:rst_all; )
> >
> >the next step was to modify this rule sligthly. the disconnect should 
> >only appear, if the word "hello" was seen, with this rule: 
> >
> >alert tcp any any <> $HOME_NET 25 (msg:"HELLOon25"; content:"hello"; 
> >resp:rst_all; )
> >
> >i telnet to port 25, key in "hello"  ( knowing it's not a smtp-dialog  ) 
> >and nothing happens. i get a logentry, so the rule is involved 
> >if the word "hello" is seen, but no disconnect. 
> >
> >i searched a lot of time around the internet, but could find 
> >any advice, what the problem could be. 
> >
> >every advice would be helpfully. 
> >
> >just disconnecting any incomming connection could be the idea, a 
> >tcpwrapper could this job too. 
> >
> >
> >best regards 
> >hans 
> >
> > 
> >
> 
> -- 
> John C. Silvia
> VP Information Systems & CTO
> Cadamier Internet Security Corporation
> http://www.cadamier.com
> john at ...13282...
> 303-249-3204 cell
> 720-898-4872 office
> 
> 
> 
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users




More information about the Snort-users mailing list