Network Security: Detailed info on RE: [Snort-users] why old libnet?

Subject:	RE: [Snort-users] why old libnet?
Date:	Mon, 28 Mar 2005 11:17:51 -0600

I have seen that flexresp works very well in blocking outbound P2P and
chat programs. I would like seeing more advancement in this feature.

Thanks...

-----Original Message-----
From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Matt
Kettler
Sent: Monday, March 28, 2005 11:16 AM
To: snort-users@lists.sourceforge.net
Subject: Re: [Snort-users] why old libnet?

Florin Andrei wrote:

What is the reason why Snort can only use the old, deprecated,
libnet-1.0.x?
Since other apps are likely to use already the newer, supported,
libnet-1.1, there might be conflicts on systems using both types of
apps.


Really, the only part of snort that uses libnet is flexresp. If you're
not using flexresp, snort shouldn't be looking for libnet.

As for flexresp itself, it's getting to be a bit on the "aged" side. I
know one of the SF guys (Chris? Jeff?) was working on a "flexresp2", but
it looks like 2.3.2 still only includes the old version.

I also think that while Flexresp is useful, people believe it to be more
useful than it is. Flexresp is really pretty limited. It's useful
against automated probes, but really only acts as a hurdle to jump over
for a skilled manual attack. Even against automated probes, flexresp
isn't 100% effective, since it relies on being able to advance the TCP
sequence number first. Flexresp uses some tricks to give it a major
advantage, but it still boils down to being a race condition.

Now that snort has an official inline module, you really should consider
using it instead of flexresp if inline is feasible in your network and
on your platform.


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&opÌk
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list

<Prev in Thread]	Current Thread	[Next in Thread>
[Snort-users] why old libnet?, Florin Andrei Re: [Snort-users] why old libnet?, Matt Kettler Re: [Snort-users] why old libnet?, Florin Andrei Re: [Snort-users] why old libnet?, Matt Kettler Re: [Snort-users] why old libnet?, Jeremy Hewlett RE: [Snort-users] why old libnet?, Eric Hines Re: [Snort-users] why old libnet?, Jeff Nathan RE: [Snort-users] why old libnet?, Ron Jenkins <= RE: [Snort-users] why old libnet?, Joshua Berry Re: [Snort-users] why old libnet?, Matt Kettler Re: [Snort-users] why old libnet?, Will Metcalf

Previous by Date:	Re: [Snort-users] why old libnet?, Matt Kettler
Next by Date:	[Snort-users] Snort and postgresql, Narayan Sivaramakrishnan
Previous by Thread:	Re: [Snort-users] why old libnet?, Jeff Nathan
Next by Thread:	RE: [Snort-users] why old libnet?, Joshua Berry
Indexes:	[Date] [Thread] [Top] [All Lists]