Page 2 of 2 FirstFirst 12
Results 11 to 15 of 15

Thread: a snort question??

  1. #11
    Senior Member
    Join Date
    Jul 2001
    Posts
    461
    Yes, but you can make snort fiddle with your firewall in real time, or nearly so.

  2. #12
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Actually, under Snort 2.x, there is the keyword resp which is part of the flexresp, (flexible response), module that can be compiled into it.

    What resp allows you to do is send an ICMP dest or port unreachable, (and a couple of other ICMP responses IIRC), to the source, destination or both. I believe that you can send an RST as well but it is early-o-clock and I'm still too lazy to actually look it up - You'll find it in the manuals at www.snort.org.

    As has already been pointed out you need to be careful or you can be used for a reflected DDoS or DoSed yourself quite easily. The scenario's I would consider using it in are:-

    1. Preventing an outbound trojan/virus from calling home/spreading - send ICMP dest unreachable or RST to the source host on the HOME_NET
    2. Preventing policy breaches such as AIM outbound from the HOME_NET.
    3. In extreme circumstances where an attack signature has been developed but a patch hasn't yet you must keep the service running publicly.... But's that's really "iffy"

    In using Flexresp I would always tend to use it against the destination, (victim), on attacks from the EXTERNAL_NET so that the attacker would not see the activity and chose to use it against me and in the case of HOME_NET sending outbound I would use it against the source, (attacker) to keep the responses within my own network at all times.

    It would be nice to be able to send and ICMP source quench to the attacker in the case of worm activity which would effectively "tarpit" it for a while but I don't think Snort gives you that option.

    Ichni: Yeah Snort can but that depends upon your firewall. Furthermore the Snort team do not recommend using Snort to spawn outside processes - especially on WinX boxes because of the potential for dropping packets that might be important.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #13
    Senior Member
    Join Date
    Sep 2003
    Posts
    161
    so you should not run the flexrep on snort.
    could you explain a little more however that if you enable flexrep on snort you might creat a D0S attack against your self or others???

    is it like if i send you a packet in which the source and destination are the same, the snort IDS will send a RST packet to itself thus DoSing it self, or a guy who sends an attack using a spoofed address and the snort send a RST packet to that spoofed address thus DoSing the spoofed address.

  4. #14
    Senior Member Boogymantroy's Avatar
    Join Date
    Jan 2004
    Location
    Memphis Tn
    Posts
    100
    Hey, uhmm just wandering if there are any useful FREE!!! snort programs? If so how trustworthy are they?

    Boogymantroy

  5. #15
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Boogeyman: Lot's. Visit www.snort.org and look around. They are all free and all reliable.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •