Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: More explanation needed in Snort User Manual for "resp:"?

From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 06 Nov 2003 17:12:00 -0500
At 03:53 PM 11/6/2003, Jason Haar wrote:

. But this
still seems like a bug to me, as I can't think of a reason why you would
ever want the packet to leave through anything other than the interface it
was seen on! [well, except one: TAPs - but that's pretty special case]



Am I missing something here?
Yes, the fact that if you're doing TCP resets, you really want to send a tcp reset to the destination of the attack, not the source. This may or may not be the same interface that the attack came in on, particularly if your snort sensor is running on a routing box.
And taps really aren't that special of a case, or at least shouldn't be. Of course, I also suspect most snort users aren't careful enough to be running snort chroot/setuid either (sigh). 



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?   SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: