Snort mailing list archives
Re: Flex Resp
From: Neil Dickey <neil () geol niu edu>
Date: Mon, 13 Aug 2001 13:46:17 -0500 (CDT)
"Larry E. Smith Jr." <lsmithjr () monster-solutions net> wrote asking:
What is the benefit of compiling snort with Flex Resp?
"Flex Resp" allows Snort to respond to a packet of some particular description in addition to logging it. The rules pages on the Snort website give more detail, but one possibility is that on receipt of a CodeRedII packet the Snort machine could send a reset packet both to the source machine and the receiving machine, thereby terminating the exchange before it would normally have ended. There are potential problems, however, and the "Flex Resp" capability should be used with some caution. Depending on the nature of the attack, "Flex Resp" can initiate a packet storm which can make your logs unbelievably huge in really short periods of time -- not to mention the bandwidth consumed by the traffic. In short, you can DOS yourself with it if you're not careful. Best regards, Neil Dickey, Ph.D. Research Associate/Sysop Geology Department Northern Illinois University DeKalb, Illinois 60115 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Flex Resp Larry E. Smith Jr. (Aug 12)
- <Possible follow-ups>
- Re: Flex Resp Neil Dickey (Aug 13)