Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: More TCP Reset Questions

From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 01 Mar 2004 13:14:14 -0500
At 10:22 AM 3/1/2004, Josh Berry wrote:

In what situations do users on this list recommend using TCP-Resets, if
they are recommended at all?  So far all I have is policy issues like Chat
and P2P clients where resets disrupts the operation of the client, is
there anything else?
Generally speaking, I'd say they are acceptable to use for almost anything that is clearly not permitted in your network. 

Attack sigs with no known FPs, Policy issues, etc are all fine.
However, NEVER rely on tcp resets as your only line of defense against attacks. Flexresp is a great add-on to your network, but it should not be used to try to replace a firewall, or a mail-server virus scanner.
In general keep in mind that a skilled attacker is likely to be able to get past a tcp reset with a few tries at advancing the sequence number. Flexresp2 makes it harder for the attacker, but given sufficient tries they will eventually get past it if they know what they are doing. Even an automated attack which isn't designed to evade flexresp has a small chance of evading it.
Keeping that limitation in mind will help you avoid the tragic mistake of over-dependance on flexresp to provide network security. As long as you realize where it's limits are, feel free to implement it with most any sa rule that isn't noisy and FP prone.
There's no reason to avoid using tcp resets. There's just reason to avoid treating them as "solid" protection. 




-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: