Snort mailing list archives

Re: Snort+flexresp

From: Sonika Malhotra <sonikam () magnum barc ernet in>
Date: Wed, 13 Mar 2002 11:40:29 +0530

Roel,
    Thanks for this detail explanation.Does this indicate that in every( WAN )
case where the delay is more ,the possibility of RST packet, generated by snort,
reaching the other end increases? That is if the no. of hops are more, it is more
likely that the snort terminates the connection.But in any case it is not
guaranteed!..

Regds:-
sm

Roelof JT Jonkman wrote:

Sonika,

This is a somwhat common problem. I'll try my best to explain this somewhat.
(Marty and other have explained this well in the past)

Whenever you see the alert gets generated, snort has to fabricate two
packets with the RST flag set, one for the server, and one for the client.
The crucial piece is that the sequence number matches that of the connection.
If the sequence number is off, it simply gets discarded. It obviously takes
some time to fabricate these packets. In the mean time the server is also
working on a response to the client. The gotcha is when you do this
on a LAN, the delays are so low, that the server is likely to get back to
the client before snort/flexresp is able to generate the RST packets, and
the connection will have advanced beyond the sequence number that the
RST packets have, and swat, they get ignored. However on a WAN connection
where the delays are more than ~2ms, the RST packets will still have
a sequence number that matches the current sequence number of the connection,
and hence will convince both ends that the connection has ended.

This is sort of a terse background behind flexible response, and why
it works in some (WAN) cases, and not in others (LAN) This is
by no means complete, rather it reflects upon my understanding
of it.

Hope this helps.

Roel Jonkman
Security Engineer
http://www.SiliconDefense.com

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort+flexresp Sonika Malhotra (Mar 11)
- Re: Snort+flexresp Roelof JT Jonkman (Mar 11)
  - Re: Snort+flexresp Sonika Malhotra (Mar 12)
    - RE: Snort+flexresp skill2die4 (Mar 13)
    - RE: Snort+flexresp Bamm (Robert) Visscher (Mar 13)
    - Re: Snort+flexresp Sonika Malhotra (Mar 14)
    - Re: Snort+flexresp Sam (Mar 14)
    - Re: Snort+flexresp Bamm Visscher (Mar 14)
    - Re: Snort+flexresp Jeff Nathan (Mar 25)
    - Re: Snort+flexresp Bamm Visscher (Mar 26)
    - Re: Snort+flexresp Jeff Nathan (Mar 26)
    - Re: Snort+flexresp Roelof JT Jonkman (Mar 13)
- <Possible follow-ups>
- RE: Snort+flexresp Ronneil Camara (Mar 26)

(Thread continues...)