Re; Flex-Response, anyone using it?

[Richard Bejtlich <taosecurity () gmail com>]

Dusty Hall wrote:

I'm curious to know how many people, if any, are using Flex-Response and
what kind of results they have seen?
--

I've used flexible response to knock down connections to ports 135,
139, 445, and 1433 TCP in short term incident response containment
situations.  It's no substitute for access control via firewall rule,
but it's better than nothing.

I tell Snort to watch for packets with A+ set so it has multiple
chances to tear down the session, starting with the SYN ACK response
from the target.

In some cases the tear down is immediate, and it others the attacker
is still able to deliver a payload.

Don't both using flexible response with HTTP or other short-lived sessions.

Sincerely,

Richard
http://www.taosecurity.com


-------------------------------------------------------
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562&alloc_id=6184&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users