Snort mailing list archives
Re: Snort+flexresp
From: Jeff Nathan <jeff () snort org>
Date: Wed, 27 Mar 2002 13:58:52 -0800
Bamm Visscher wrote:
Jeff, Okay, I think I finally see what you are driving at. Your concern is that flex-resp will not be able to kill a connection before it can establish a session. While my intent with these rules, is to kill a session before any communcations (ie execed commands) can take place. So, although snort will alert and attempt to use flex resp to kill the connection on the initial syn packet (will flex-resp be able to use the ack in the syn/ack to craft a reset?), it won't be successful until it gets an (good) ack. This is not a problem since once the session has been established and either end tries to send data, the connection will be successfully killed. Yes, this will generate multiple alerts, but the point of instituting an alert like this is to keep the perp from communicating (execing commands etc) with the compromised server. This of course all depends (like I said in each post) on the protocol doing the "communicating". HTTP is not very reset friendly, while interactive services like ssh, telnet, FTP, etc. are. BTW, maybe a better rule would use (flags: !RS;). Bammkkkk
Hi Bamm, I'll admit that's a creative solution that may work. Sending a RST in response to the initial SYN will be ignored but as you mentioned the RSTs generated in response to ACKing back and forth may actually work. To anyone using flexresp, I would suggest using rst_all when creating TCP response rules. Your IDS is likely much closer physically to any system you're protecting than it is to the attacker and thus the latency to the server is less than that to the attacker. Also, any attacker worth his salt can simply configure a firewall he controlls between himself and the target to simply block TCP RSTs thus making client session sniping useless. By reseting both sides of a connection there's a much higher likelyhood of success. -Jeff -- http://jeff.wwti.com (pgp key available) "Common sense is the collection of prejudices acquired by age eighteen." - Albert Einstein _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: Snort+flexresp, (continued)
- RE: Snort+flexresp Bamm (Robert) Visscher (Mar 13)
- Re: Snort+flexresp Sonika Malhotra (Mar 14)
- Re: Snort+flexresp Sam (Mar 14)
- Re: Snort+flexresp Bamm Visscher (Mar 14)
- Re: Snort+flexresp Jeff Nathan (Mar 25)
- Re: Snort+flexresp Bamm Visscher (Mar 26)
- Re: Snort+flexresp Jeff Nathan (Mar 26)
- Re: Snort+flexresp Roelof JT Jonkman (Mar 13)
- Re: Snort+flexresp Jeff Nathan (Mar 27)
- Re: Snort+flexresp Onie Camara (Mar 28)
- Re: Snort+flexresp Bamm Visscher (Mar 28)
- Re: Snort+flexresp Onie Camara (Mar 28)
- Re: Snort+flexresp Bamm Visscher (Mar 28)
- Re: Snort+flexresp Onie Camara (Mar 28)
- Re: Snort+flexresp Onie Camara (Mar 28)
- Re: Snort+flexresp Onie Camara (Mar 28)