Snort mailing list archives
RE: [OT] - RE: Repost: resp:rst_all not working
From: "Lucretia Enterprises" <info () lucretia ca>
Date: Fri, 5 Mar 2004 21:01:06 -0700
I think it's rather simplistic to think flexresponse ADD's anything to snort. Just my 10 drinks.... James Friesen CIO Lucretia Enterprises info at lucretia dot ca http://www.lucretia.ca/ :> -----Original Message----- :> From: snort-users-admin () lists sourceforge net :> [mailto:snort-users-admin () lists sourceforge net] On Behalf :> Of bmcdowell () coxhealthplans com :> Sent: Friday, March 05, 2004 1:54 PM :> To: snort-users () lists sourceforge net :> Subject: [OT] - RE: [Snort-users] Repost: resp:rst_all not working :> :> :> :> Please add to the drinking game: :> :> If Matt Kettler lets a question about flexresponse question :> go by without explaining why TCP resets are a bad idea - :> take 10 drinks. :> :> (Just giving him a hard time, of course. But you can :> probably set your watch by the lag between such a question :> and the inevitable response...) :> :> -----Original Message----- :> From: snort-users-admin () lists sourceforge net :> [mailto:snort-users-admin () lists sourceforge net]On Behalf Of :> Matt Kettler :> Sent: Friday, March 05, 2004 10:43 AM :> To: Venkata Raghavan; snort-users () lists sourceforge net :> Subject: Re: [Snort-users] Repost: resp:rst_all not working :> :> :> At 04:00 AM 3/5/2004, Venkata Raghavan wrote: :> >alert tcp any any -> $HOME_NET 25 (msg:"SMTP Rule Testing"; :> >flow:to_server,established; content:"test"; nocase;resp: rst_all;) :> >After this, when I lauch an telnet (port 25) session to an :> SMTP server :> >from my windows client, the alert gets generated. But there is no :> reset. :> >Then I tried the :> >telnet from a linux PC - this time it gets reset. :> >WHen I check the packets sent using ethereal, I observe that whereas :> from :> >a windows PC the data "test" comes as four packets, from a linux PC :> "test" :> >comes as a data of :> >single packet. I guess this is a problem with the WinXP version of :> >Telnet client. :> :> None of this is a problem in a telnet client Technicaly the :> windows XP one :> is doing the right thing and disabling nagle.. :> :> The reason it's "not working" is you're just unaware of the :> limitations of :> tcp resets. :> :> 1) tcp reset is a race between snort and the host that you :> aren't sending a :> reset to. Whoever gets the packet to the host snort is :> trying to reset wins :> the race. :> :> 2) flexresp is only likely to win this race if there's a significant :> latency somewhere between the hosts you are desynchronizing. :> tcp resets :> :> work VERY poorly within a lan. :> :> 3) It's pointless to send resets to an attacker. If they are :> smart, they'll :> be filtering them. Reset your local server or client :> instead. Rst_all :> doesn't hurt, but realize that the one sent to the attack :> originator won't :> do much good unless the attacker is automated or stupid. :> :> 4) Smart attackers can generally evade flexresp by cheating :> and starting :> :> the race early. non-nagled tcp connections (ie: telnet) are :> actually likely :> to evade it by the natural patterns of their traffic. :> Flexresp2 makes this :> harder, and will generally deal with nagle issues, but a :> clever attacker :> :> can still have some chance of winning regardless. :> :> :> :> :> :> :> :> :> :> :> ------------------------------------------------------- :> This SF.Net email is sponsored by: IBM Linux Tutorials :> Free Linux tutorial presented by Daniel Robbins, President :> and CEO of GenToo technologies. Learn everything from :> fundamentals to system :> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click :> _______________________________________________ :> Snort-users mailing list :> Snort-users () lists sourceforge net :> Go to this URL to change user options or unsubscribe: :> :> https://lists.sourceforge.net/lists/listinfo/sno:> rt-users :> :> :> Snort-users list archive: :> http://www.geocrawler.com/redir-sf.php3?list=snort-users :> :> :> ------------------------------------------------------- :> This SF.Net email is sponsored by: IBM Linux Tutorials :> Free Linux tutorial presented by Daniel Robbins, President :> and CEO of GenToo technologies. Learn everything from :> fundamentals to system :> administration.http://ads.osdn.com/?ad_id70&alloc_id638&opLk :> _______________________________________________ :> Snort-users mailing list :> Snort-users () lists sourceforge net :> Go to this URL to change user options or unsubscribe: :> :> https://lists.sourceforge.net/lists/listinfo/sno:> rt-users :> :> :> Snort-users list archive: :> http://www.geocrawler.com/redir-sf.php3?list ------------------------------------------------------- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- [OT] - RE: Repost: resp:rst_all not working bmcdowell (Mar 05)
- RE: [OT] - RE: Repost: resp:rst_all not working Lucretia Enterprises (Mar 05)