OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
RE: [Snort-users] UPDATE: flexresp2 (new and improved active response for Snort)

From: Francis A. Vidal (francisv-sender-58ad63irc.dagupan.com)
Date: Thu Sep 04 2003 - 06:49:20 CDT


Jeff,

Any chance you can make the patch work cleanly with the FreeBSD port?
Thanks.

-----Original Message-----
From: Jeff Nathan [mailto:jeffsnort.org]
Sent: Thursday, September 04, 2003 5:59 PM
To: snort-announcelists.sourceforge.net; snort-userslists.sourceforge.net;
snort-devellists.sourceforge.net; snort-sigslists.sourceforge.net
Subject: [Snort-users] UPDATE: flexresp2 (new and improved active response
for Snort)

WARNING: Unsanitized content follows.

WARNING: Unsanitized content follows.

WARNING: Unsanitized content follows.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

NOTE: This is an update to the release of sp_respond2 yesterday based
upon feedback from Chris Green. It contains 2 minor bugfixes, allows
for running Snort as a non-root user with active response and re-adds
the ability to send TCP resets to the client (ONLY to be used for
attack-response rules).

At long last I am proud to release flexresp2, the improved version of
active response for Snort.

 From the readme file:
***********************
To compensate for the fact that Snort cannot possibly send a TCP reset
to the server (receiving host) or client (sending host) before the
offending packet reaches the destination, Snort will transmit a minimum
of 3 TCP reset packets with shifting TCP ack numbers in an attempt to
brute-force the connection into an unusable state.

Flexresp2 will automatically calculate the original TTL when sending a
response packet.

Flexresp2 will not respond to TCP packets with the SYN, FIN or RST flag
set.

Link-layer active response (crafting complete Ethernet frames) can be
used to completely bypass the routing table and force response packets
to be sent out a specified interface.

Snort running on Unix-like systems no longer requires root privileges
when active response (flexresp2) is used. Instead the -u and -g
command line options can be used.
***********************

All the files comprising flexresp2 (sp_respond2) are available here:
http://cerberus.sourcefire.com/~jeff/archives/snort/sp_respond2/

A readme is available here:
http://cerberus.sourcefire.com/~jeff/archives/snort/sp_respond2/
sp_respond2.readme

Please read this readme document carefully. It has been written to
help anyone interested in using flexresp2 and details the new features
available in this release.

All the files have been MD5 checksummed, a checksum file is available
here:
http://cerberus.sourcefire.com/~jeff/archives/snort/sp_respond2/MD5

A detached PGP signature has been created for all the files. To verify
the signatures using GPG, import my public key from the MIT keyserver
using the command:

gpg --keyserver pgp.mit.edu --recv-key 6923D3FD

Once you have obtained my PGP public key, you can verify the integrity
of the flexresp2 files using commands resembling the following:

gpg --verify sp_respond2.diff.gz.asc sp_respond2.diff.gz

Please reference the BUGS file contained with the Snort distribution
before reporting any bugs in this software.

Special thanks to Dragos Ruiu, Jed Haile, Jose Nazario, Mike Davis,
Chris Reid and Chris Green for all their suggestions and review.

Enjoy!

  -Jeff

- --
http://cerberus.sourcefire.com/~jeff (gpg key available)
"Great spirits have always encountered violent opposition from
mediocre minds." - Albert Einstein
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (Darwin)

iD8DBQE/Vw0CEqr8+Gkj0/0RAsBTAJwOzWq9jaHmc1BWkKyKHLj3X7DkeQCgxuzf
nlslujYrKFvcZLJQMJmocQs=
=Bmf0
-----END PGP SIGNATURE-----

-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users