Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Snort-users] snort 2.3.3 --enable-flexresp

from [John C. Silvia] Network Security [Permanent Link]
Subject: Re: [Snort-users] snort 2.3.3 --enable-flexresp
Date: Mon, 25 Apr 2005 09:03:01 -0600
Remember that the tcp resets generated by flexresp go out via the default route or whatever route is more appropriate.

This is very limiting, but can still be useful. For starters, this means that if you have a snort setup with two interfaces - one with IP for management and one without for sniffing, then your detector will be sending out the resets on the TCP interface.

If you're huddling IDS's behind a Check Point firewall for instance, and you have a dedicated DMZ for the IDS's, then you must disable address spoofing on that interface of the check point (and deal with the griping and consequences) in order for FlexResp to work.

Snortsam is a better choice since it'll block at the router or firewall, and you don't have to turn off any anti-spoofing. Inline is perhaps the best method, but carries too many risks as it can become a point of failure.

hans wrote:

hi all

i tried the experimental feature '--enable-flexresp' for compiling snort 2.3.3 on solaris 9 ( both sparc and intel plattform )

the first tests did run well, the following rule did disconnect an incomming connection immediate:

alert tcp any any <> $HOME_NET 25 (msg:"HELLOon25"; resp:rst_all; )

the next step was to modify this rule sligthly. the disconnect should only appear, if the word "hello" was seen, with this rule: 

alert tcp any any <> $HOME_NET 25 (msg:"HELLOon25"; content:"hello"; 
resp:rst_all; )

i telnet to port 25, key in "hello" ( knowing it's not a smtp-dialog ) and nothing happens. i get a logentry, so the rule is involved if the word "hello" is seen, but no disconnect.

i searched a lot of time around the internet, but could find any advice, what the problem could be.

every advice would be helpfully.

just disconnecting any incomming connection could be the idea, a tcpwrapper could this job too.


best regards hans 




--
John C. Silvia
VP Information Systems & CTO
Cadamier Internet Security Corporation
http://www.cadamier.com
john@cadamier.com
303-249-3204 cell
720-898-4872 office



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-users] Script to Parse Snort Rules, Jeff Heckart
Next by Date:  [Snort-users] Strange PATH MTU Traffic, Joshua Berry
Previous by Thread:  [Snort-users] snort 2.3.3 --enable-flexresp, hans
Next by Thread:  Re: [Snort-users] snort 2.3.3 --enable-flexresp, hans
Indexes:  [Date] [Thread] [Top] [All Lists]