IDS mailing list archives

TCP ACK/RST packets with data in the Reset Cause

From: Mike Gibson <micheal.gibson () gmail com>
Date: Tue, 10 Jan 2006 11:06:03 -0500

Has anyone ever seen TCP RST packets being sent from clients to web
server with a "Reset Cause" containing the HTML that was in the packet
that they are responding to?

For example a browser client is getting a 404 error returned from my
webserver but right after this I am seeing a CP ACK/RST packet from
the client with the 404 HTML in the packet.

When I look at the packet in Ethereal it shows the HTML in a field
called "Reset cause".

These packets are causing my IDS to go nuts.

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

Current thread:

TCP ACK/RST packets with data in the Reset Cause Mike Gibson (Jan 10)
- Re: TCP ACK/RST packets with data in the Reset Cause Mike Frantzen (Jan 11)
- <Possible follow-ups>
- RE: TCP ACK/RST packets with data in the Reset Cause Palmer, Paul (ISSAtlanta) (Jan 11)