[Snort-users] Confirming flexresponse

Matt Kettler mkettler at ...4108...
Tue May 1 15:06:54 EDT 2007

Cesar Diaz wrote:
> I compiled snort with flexresponse enabled and added "resp:rst_all" to a
> few P2P rules.  I still see alerts on those rules in BASE, but I assume
> that after it is detected, the RST packet is sent and the connection
> dropped.
> Is there a way to confirm that the response is taking place, and then if
> it worked or not?

Probably the only sure way is to use wireshark, tcpdump or some other packet
tracing tool. If you see the RST or ICMP error packet being generated, you know
flexresp got triggered. If you see the data stream stop, you know it worked.

I don't know of any good automated way to do this.

Also, you should be aware that while flexresp works quite well, it isn't a
sure-fire thing. It will not work every time, as it's all timing dependent.
(Flexresp has to get the RST packet out before more data from the connection
comes along and advances the TCP sequence number beyond the window.)

Flexresp is an excellent and easy-to-use augment to your network tools, but
nobody should rely on it in their security plan as if it were a sure-fire thing.
It's failures are somewhat rare, but they do exist. i.e.: flexresp isn't a
firewall, don't treat it as one.

If for some reason you need sure-fire cutoff you might want to look at tools
like snort-inline or snortsam.

in general the tradeoffs of the three tools could be summarized (in brief):

flexresp: fast reacting, easy to use, built into snort, but not 100% reliable at
killing connections.

snort-inline: fast reacting, more work, reliably kills connections, somewhat
platform specific.

snortsam: has some latency, more work, reliably kills connections and will work
with nearly any firewall product.

More information about the Snort-users mailing list