Snort mailing list archives

Previous By Date Next
Previous By Thread Next

FW: Flex-Response, anyone using it?

From: "IDont ThinkSo" <billygates_sux () hotmail com>
Date: Wed, 19 May 2004 16:37:17 -0400
  Paul's an idiot!  As usual nothing of value in his writing.
Flexresp works well, as all it needs to do is send out a reset packet (or icmp unreachable or such) if a certain condition is met. And yes, if you write a rule to send a reset packet when syn packet on port 25 arrives it will send one out and block the connection. HOWEVER, you should not use flexresp with normal snort smtp rules, as mail servers do not like connections being reset while it is receiving a msg. As paul only uses this only to torment admins with less knowledge than him (I don't know how that is possible) he cannot testify to its use in a real environment. If they were smarter they might just track his ass down and beat him senselessly.
Flexresp is certainly not an IPS solution, but its nice on a limited scale. And though I said I don't recommend it, you could write a snort rule that uses regex to detect the string "On Behalf Of Paul Schmehl" and reset that waste of bandwidth! 



-----Original Message-----
From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Paul Schmehl 
Sent: Wednesday, May 19, 2004 4:04 PM
To: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Flex-Response, anyone using it?
--On Wednesday, May 19, 2004 10:07:45 AM -0500 Dusty Hall <halljer () auburn edu> wrote:
I'm curious to know how many people, if any, are using Flex-Response and what kind of results they have seen? I've been using it for some P2P rules but haven't actually tested it from the client. Any information would be greatly appreciated.
There's been a lot of discussion on this list about not depending upon flexresp to do much for you.
Having said that, I can tell you from personal experience that it will completely prevent communication between two smtp servers.
So I would say it works pretty well. Whether or not it will actually prevent an attack, I can't say from personal experience, but I *can* tell you it will irritate the hell out of an admin trying to track down a failed connections problem. :-) 

And yes, we still use it.

Paul Schmehl (pauls () utdallas edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/ir/security/


-------------------------------------------------------
This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

_________________________________________________________________
Get 200+ ad-free, high-fidelity stations and LIVE Major League Baseball Gameday Audio! http://radio.msn.click-url.com/go/onm00200491ave/direct/01/ 



-------------------------------------------------------
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. 
http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: