Snort mailing list archives

Previous By Date Next
Previous By Thread Next

TCP Resets

From: "Josh Berry" <josh.berry () netschematics com>
Date: Fri, 27 Feb 2004 18:38:17 -0600 (CST)
I am trying to assess the value of using TCP Resets on Exploit attacks
over TCP such as Blaster and Code Red.  It seems as though trying to reset
these types of connections will just double the amount of network traffic
while not stopping the exploit.  Won't the reset reach the machine too
late as the IDS is reacting just after the connection is seen?

Is there only value for doing this if the exploit can be spotted in the
initial SYN but the actual malicious content is contained in the Data
portion after the 3-way-handshake.

Correct me anywhere that I am wrong.

Thanks,
Josh Berry


-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: