-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Aug 29, 2004, at 1:14 PM, Keith W. McCammon wrote:
Right know, I've just compiled and installed snort 2.2.0 with
flexresp2
support. I'm about to test flexresp2 capabilities, but It seems to
have no
support for slowing down TCP connections (i.e. for slowing down TCP
Scans
for instance...)
Why would Snort want to "slow down" a TCP scan? Snort will catch it,
and under certain circumstances, flexresp2 can reset those
connections. That's pretty much the extent of Snort's involvement.
Do you know any plug-in that allows Snort to slow down TCP
connections speed
(i.e. resize TCP window size) ?
No. What would you accomplish by doing this? Either block the
traffic or don't. Slowing it down won't really get you anywhere
(it'll just take the attacker longer to do the same thing).
I think the point of "slowing down" TCP connections is to exhaust
socket descriptors on the host performing the scanning. It depends
entirely on a number of factors, but if you "control the horizontal and
the vertical", then you can certainly have some fun tarpitting
machines.
- -Jeff
- --
Top security experts. Cutting edge tools, techniques and information.
Tokyo, Japan November, 2004 http://www.pacsec.jp
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (Darwin)
iD8DBQFBMpGcEqr8+Gkj0/0RAiX9AKCAhb6SxhuTYh6zWk6CcF5qOHuHcwCgqW5Q
rmESfyFfYeBmfHy36b+GVuM=
=Uv25
-----END PGP SIGNATURE-----
-------------------------------------------------------
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=5047&alloc_id=10808&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
