Snort mailing list archives
RE: TCP Reset
From: "Lampe, John W." <JWLAMPE () GAPAC com>
Date: Sat, 19 May 2001 21:02:48 -0400
Hi,
Hello.
What does the group think of the benefits of killing TCP connections, as available in FLEXRESP, or even the Tcpkill feature in ISS Realsecure? From what I've understood so far, it's effective against DoS attacks like SYN-Flood, and of limited value against buffer overflow attacks;
It's useless (in some instances, more than useless) against SYN-floods, and of limited value against buffer overflows.
plus, it could be abused by the attacker too. Since the 'Reset' is sent after the attack packet reaches the host, can it actually prevent the buffer overflow?
Yes, as long as the snort engine can note the signature (shellcode, NOP's, whatever) and RST the connection before the payload has been delivered.
Now, if the malicious code that gets executed adds a new account (say), wouldn't killing the connection after the event be quite wasted?
TIA,
Michael Free, encrypted, secure Web-based email at www.hushmail.com
John Lampe _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- TCP Reset michael . porter (May 19)
- <Possible follow-ups>
- RE: TCP Reset Frank Knobbe (May 19)
- RE: TCP Reset Lampe, John W. (May 19)
- RE: TCP Reset michael . porter (May 20)
- Re: TCP Reset Andreas Hasenack (May 20)
- RE: TCP Reset Lampe, John W. (May 20)
- RE: TCP Reset michael . porter (May 20)
- RE: TCP Reset Erik Engberg (May 22)