Snort mailing list archives
RE: TCP Reset
From: michael.porter () hushmail com
Date: Sun, 20 May 2001 12:11:47 -0500 (EDT)
Can the RST packet from Snort -which comes after the attack packet(s)
-
actually nullify the effect of the payload? Doesn't the server socket pass the payload to the application, before it handles the reset? Or am
I
getting something wrong here? Has anybody actually succeeded RST-ing a
buffer
overflow?
The question is...how large is the buffer? It's a race. If the buffer is large enough (spanning multiple packets), the RST has the potential of occuring before the actual overflow occurs.
This is interesting: if it's a race between the attacker and the IDS, then I guess the packet size is what counts. Since packets of size 1500 bytes are not uncommon, I guess few buffer overflows will be effectively 'killed' by the RST. Is this also an argument against using the IDS as an 'active direct response' to attacks? Free, encrypted, secure Web-based email at www.hushmail.com
Current thread:
- TCP Reset michael . porter (May 19)
- <Possible follow-ups>
- RE: TCP Reset Frank Knobbe (May 19)
- RE: TCP Reset Lampe, John W. (May 19)
- RE: TCP Reset michael . porter (May 20)
- Re: TCP Reset Andreas Hasenack (May 20)
- RE: TCP Reset Lampe, John W. (May 20)
- RE: TCP Reset michael . porter (May 20)
- RE: TCP Reset Erik Engberg (May 22)