Snort mailing list archives

Re: Snort+flexresp

From: Jeff Nathan <jeff () snort org>
Date: Wed, 27 Mar 2002 13:58:52 -0800

Bamm Visscher wrote:


Jeff,

Okay, I think I finally see what you are driving at. Your concern is
that flex-resp will not be able to kill a connection before it can
establish a session. While my intent with these rules, is to kill a
session before any communcations (ie execed commands) can take place.
So, although snort will alert and attempt to use flex resp to kill the
connection on the initial syn packet (will flex-resp be able to use the
ack in the syn/ack to craft a reset?), it won't be successful until it
gets an (good) ack. This is not a problem since once the session has
been established and either end tries to send data, the connection will
be successfully killed. Yes, this will generate multiple alerts, but the
point of instituting an alert like this is to keep the perp from
communicating (execing commands etc) with the compromised server. This
of course all depends (like I said in each post) on the protocol doing
the "communicating". HTTP is not very reset friendly, while interactive
services like ssh, telnet, FTP, etc. are.

BTW, maybe a better rule would use (flags: !RS;).

Bammkkkk



Hi Bamm,

I'll admit that's a creative solution that may work.  Sending a RST in
response to the initial SYN will be ignored but as you mentioned the
RSTs generated in response to ACKing back and forth may actually work.

To anyone using flexresp, I would suggest using rst_all when creating
TCP response rules.  Your IDS is likely much closer physically to any
system you're protecting than it is to the attacker and thus the latency
to the server is less than that to the attacker.  Also, any attacker
worth his salt can simply configure a firewall he controlls between
himself and the target to simply block TCP RSTs thus making client
session sniping useless.  By reseting both sides of a connection there's
a much higher likelyhood of success.

-Jeff


-- 
http://jeff.wwti.com            (pgp key available)
"Common sense is the collection of prejudices acquired by age eighteen."
- Albert Einstein

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

RE: Snort+flexresp, (continued)
- - - RE: Snort+flexresp Bamm (Robert) Visscher (Mar 13)
    - Re: Snort+flexresp Sonika Malhotra (Mar 14)
    - Re: Snort+flexresp Sam (Mar 14)
    - Re: Snort+flexresp Bamm Visscher (Mar 14)
    - Re: Snort+flexresp Jeff Nathan (Mar 25)
    - Re: Snort+flexresp Bamm Visscher (Mar 26)
    - Re: Snort+flexresp Jeff Nathan (Mar 26)
    - Re: Snort+flexresp Roelof JT Jonkman (Mar 13)
- RE: Snort+flexresp Ronneil Camara (Mar 26)
- Re: Snort+flexresp Bamm Visscher (Mar 26)
  - Re: Snort+flexresp Jeff Nathan (Mar 27)
- RE: Snort+flexresp Bamm Visscher (Mar 27)
  - Re: Snort+flexresp Onie Camara (Mar 28)
    - Re: Snort+flexresp Bamm Visscher (Mar 28)
    - Re: Snort+flexresp Onie Camara (Mar 28)
    - Re: Snort+flexresp Bamm Visscher (Mar 28)
    - Re: Snort+flexresp Onie Camara (Mar 28)
- RE: Snort+flexresp Sheahan, Paul (PCLN-NW) (Mar 28)
  - Re: Snort+flexresp Onie Camara (Mar 28)
- RE: Snort+flexresp Sheahan, Paul (PCLN-NW) (Mar 28)
  - Re: Snort+flexresp Onie Camara (Mar 28)

(Thread continues...)