Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: TCP Resets

From: Gary Flynn <flynngn () jmu edu>
Date: Sat, 28 Feb 2004 23:59:48 -0500

One more consideration. If you're running something inline
and you drop a packet, you have to consider the effects on
the overlying application.

For example, an SMTP server sending a virus in the middle of
a set of messages may queue up messages behind the failed
transmission.

Not only that, if worm activity is heavy you better drop
the server connection after you drop the packet. Doing
otherwise does bad things due to a bunch of half-open
connections on the receiving server. I speak from a
bad experience on that one. :)

As someone told me on another list, that is the price one pays
when one tries to address an application problem at the
network layer.




-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: