Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: More TCP Reset Questions

From: "Josh Berry" <josh.berry () netschematics com>
Date: Mon, 1 Mar 2004 13:04:52 -0600 (CST)
Correct me if I am wrong but won't TCP resets for attacks like worms just
produce more traffic?  It will just multiply the amount of network traffic
and will not stop the worm as the reset will not make it until the
malicious payload has already hit your server/desktop.  This is why it is
hard for me to find value in resets except for persistent connection
applications like P2P, Chat, Backdoor's, and Trojan's.

Thanks


At 10:22 AM 3/1/2004, Josh Berry wrote:

In what situations do users on this list recommend using TCP-Resets, if
they are recommended at all?  So far all I have is policy issues like
Chat
and P2P clients where resets disrupts the operation of the client, is
there anything else?


Generally speaking, I'd say they are acceptable to use for almost anything
that is clearly not permitted in your network.

Attack sigs with no known FPs, Policy issues, etc are all fine.

However, NEVER rely on tcp resets as your only line of defense against
attacks. Flexresp is a great add-on to your network, but it should not be
used to try to replace a firewall, or a mail-server virus scanner.

In general keep in mind that a skilled attacker is likely to be able to
get
past a tcp reset with a few tries at advancing the sequence number.
Flexresp2 makes it harder for the attacker, but given sufficient tries
they
will eventually get past it if they know what they are doing. Even an
automated attack which isn't designed to evade flexresp has a small chance
of evading it.

Keeping that limitation in mind will help you avoid the tragic mistake of
over-dependance on flexresp to provide network security. As long as you
realize where it's limits are, feel free to implement it with most any sa
rule that isn't noisy and FP prone.

There's no reason to avoid using tcp resets. There's just reason to avoid
treating them as "solid" protection.









-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: