[Snort-users] Confirming flexresponse
mkettler at ...4108...
Tue May 1 15:06:54 EDT 2007
Cesar Diaz wrote:
> I compiled snort with flexresponse enabled and added "resp:rst_all" to a
> few P2P rules. I still see alerts on those rules in BASE, but I assume
> that after it is detected, the RST packet is sent and the connection
> Is there a way to confirm that the response is taking place, and then if
> it worked or not?
Probably the only sure way is to use wireshark, tcpdump or some other packet
tracing tool. If you see the RST or ICMP error packet being generated, you know
flexresp got triggered. If you see the data stream stop, you know it worked.
I don't know of any good automated way to do this.
Also, you should be aware that while flexresp works quite well, it isn't a
sure-fire thing. It will not work every time, as it's all timing dependent.
(Flexresp has to get the RST packet out before more data from the connection
comes along and advances the TCP sequence number beyond the window.)
Flexresp is an excellent and easy-to-use augment to your network tools, but
nobody should rely on it in their security plan as if it were a sure-fire thing.
It's failures are somewhat rare, but they do exist. i.e.: flexresp isn't a
firewall, don't treat it as one.
If for some reason you need sure-fire cutoff you might want to look at tools
like snort-inline or snortsam.
in general the tradeoffs of the three tools could be summarized (in brief):
flexresp: fast reacting, easy to use, built into snort, but not 100% reliable at
snort-inline: fast reacting, more work, reliably kills connections, somewhat
snortsam: has some latency, more work, reliably kills connections and will work
with nearly any firewall product.
More information about the Snort-users