Snort mailing list archives
Re: TCP Resets
From: "Josh Berry" <josh.berry () netschematics com>
Date: Fri, 27 Feb 2004 22:43:18 -0600 (CST)
I currently use snort-inline at the perimeter to do inline blocking. I was just trying to assess the value (if there is any) of using regular snort ids with tcp-resets on the internal side of the network.
twig les wrote:--- Josh Berry <josh.berry () netschematics com> wrote:I am trying to assess the value of using TCP Resets on Exploit attacks over TCP such as Blaster and Code Red. It seems as though trying to reset these types of connections will just double the amount of network traffic while not stopping the exploit. Won't the reset reach the machine too late as the IDS is reacting just after the connection is seen?That is a band-aid. The core problem is the infected host. Aside from double the traffic it does nothing to fix the core problem, just the symptom. If snort is not inline it may get bogged down enough to let a payload pass anyway.If you issue an RST (assuming inline): * generates return traffic, * fakes most scanners into believing port is closed, * attacker can rapidly continue their attack/scan If you do not issue an RST, but silently drop: * no return traffic, * attacker must wait for timeout, * scanners assume the port is "filtered" Inline will indeed not work exactly as expected, the above rules apply to strictly inline devices (firewall, iptables, etc). Jeff ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Thanks, Josh Berry, CISSP CTO, VP of Product Development LinkNet-Solutions 469-831-8543 josh.berry () linknet-solutions com ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- TCP Resets Josh Berry (Feb 27)
- Re: TCP Resets twig les (Feb 27)
- Re: TCP Resets Josh Berry (Feb 27)
- Re: TCP Resets Jeff Kell (Feb 27)
- Re: TCP Resets Josh Berry (Feb 27)
- <Possible follow-ups>
- Re: TCP Resets Gary Flynn (Feb 28)
- Re: TCP Resets twig les (Feb 27)