Re: TCP Resets

[twig les <twigles () yahoo com>]

--- Josh Berry <josh.berry () netschematics com> wrote:
> I am trying to assess the value of using TCP Resets on Exploit
> attacks
> over TCP such as Blaster and Code Red.  It seems as though
> trying to reset
> these types of connections will just double the amount of
> network traffic
> while not stopping the exploit.  Won't the reset reach the
> machine too
> late as the IDS is reacting just after the connection is seen?
>
> Is there only value for doing this if the exploit can be
> spotted in the
> initial SYN but the actual malicious content is contained in
> the Data
> portion after the 3-way-handshake.
>
> Correct me anywhere that I am wrong.

That is a band-aid.  The core problem is the infected host. 
Aside from double the traffic it does nothing to fix the core
problem, just the symptom.  If snort is not inline it may get
bogged down enough to let a payload pass anyway.

=====
-----------------------------------------------------------
With a few exceptions, secrecy is deeply incompatible with
democracy and with science.
     --Carl Sagan  
-----------------------------------------------------------

__________________________________
Do you Yahoo!?
Get better spam protection with Yahoo! Mail.
http://antispam.yahoo.com/tools


-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users