Snort mailing list archives
Re: Snort+flexresp
From: Sonika Malhotra <sonikam () magnum barc ernet in>
Date: Wed, 13 Mar 2002 11:40:29 +0530
Roel, Thanks for this detail explanation.Does this indicate that in every( WAN ) case where the delay is more ,the possibility of RST packet, generated by snort, reaching the other end increases? That is if the no. of hops are more, it is more likely that the snort terminates the connection.But in any case it is not guaranteed!.. Regds:- sm Roelof JT Jonkman wrote:
Sonika, This is a somwhat common problem. I'll try my best to explain this somewhat. (Marty and other have explained this well in the past) Whenever you see the alert gets generated, snort has to fabricate two packets with the RST flag set, one for the server, and one for the client. The crucial piece is that the sequence number matches that of the connection. If the sequence number is off, it simply gets discarded. It obviously takes some time to fabricate these packets. In the mean time the server is also working on a response to the client. The gotcha is when you do this on a LAN, the delays are so low, that the server is likely to get back to the client before snort/flexresp is able to generate the RST packets, and the connection will have advanced beyond the sequence number that the RST packets have, and swat, they get ignored. However on a WAN connection where the delays are more than ~2ms, the RST packets will still have a sequence number that matches the current sequence number of the connection, and hence will convince both ends that the connection has ended. This is sort of a terse background behind flexible response, and why it works in some (WAN) cases, and not in others (LAN) This is by no means complete, rather it reflects upon my understanding of it. Hope this helps. Roel Jonkman Security Engineer http://www.SiliconDefense.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort+flexresp Sonika Malhotra (Mar 11)
- Re: Snort+flexresp Roelof JT Jonkman (Mar 11)
- Re: Snort+flexresp Sonika Malhotra (Mar 12)
- RE: Snort+flexresp skill2die4 (Mar 13)
- RE: Snort+flexresp Bamm (Robert) Visscher (Mar 13)
- Re: Snort+flexresp Sonika Malhotra (Mar 14)
- Re: Snort+flexresp Sam (Mar 14)
- Re: Snort+flexresp Bamm Visscher (Mar 14)
- Re: Snort+flexresp Jeff Nathan (Mar 25)
- Re: Snort+flexresp Bamm Visscher (Mar 26)
- Re: Snort+flexresp Jeff Nathan (Mar 26)
- Re: Snort+flexresp Sonika Malhotra (Mar 12)
- Re: Snort+flexresp Roelof JT Jonkman (Mar 11)
- Re: Snort+flexresp Roelof JT Jonkman (Mar 13)
- <Possible follow-ups>
- RE: Snort+flexresp Ronneil Camara (Mar 26)