---==On Thu, 28 Feb 2002 16:31:58 -0500, Basil Saragoza wrote==---
>1. If I want to create my own rules then should I place it in the
>local.rules file or create my own file? (And then use snort -o)
Yes, that's why I added them. - just easier when you update your ruleset to know they won't be overwritten.
(I have now changed it to mylocal.rules for my systems, so installing a new set won't touch my files with the 'default' empty one)

>2. As to the flexresp rules...I understand it is quite dangerous and it can
>cause more harm than good....is there any tutorial or user archive for
>custom written rules?
Flex drops the request, not necessarily the connection.
I make a request for "welcome.html" ok
I make a request for "cmd.exe" a TCP RST is sent
I make a request for "welcome2.html" ok
No firewall rules are changed/added and no black holing of the attacker occurs.

>3. Let's say I created a flexresp rule for some annoying hostile
>connection,
>O.K., now it's dropped. Then hacker figures out what is going on and
>spoofs
>his address to novell.com address, then I can't block it cause I
You block by the packet content. This would just mean he couldn't pretend to be from novell and attack you either. :)

I've had mixed luck with flexresp, from what you've said here, Hogwash may actually be what you're looking for.
--------------------------------------------------------------------
Sleep: A completely inadequate substitute for caffeine.

Jim Forster, jforsterrapidnet.com on 02/28/2002
Network Administrator
RapidNet, A Golden West Company

_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]