Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: [OT] - RE: Repost: resp:rst_all not working

From: "Lucretia Enterprises" <info () lucretia ca>
Date: Fri, 5 Mar 2004 21:01:06 -0700
I think it's rather simplistic to think flexresponse ADD's anything to
snort.

Just my 10 drinks....

James Friesen
CIO
Lucretia Enterprises
info at lucretia dot ca
http://www.lucretia.ca/


:> -----Original Message-----
:> From: snort-users-admin () lists sourceforge net 
:> [mailto:snort-users-admin () lists sourceforge net] On Behalf 
:> Of bmcdowell () coxhealthplans com
:> Sent: Friday, March 05, 2004 1:54 PM
:> To: snort-users () lists sourceforge net
:> Subject: [OT] - RE: [Snort-users] Repost: resp:rst_all not working
:> 
:> 
:> 
:> Please add to the drinking game:
:> 
:> If Matt Kettler lets a question about flexresponse question 
:> go by without explaining why TCP resets are a bad idea - 
:> take 10 drinks.
:> 
:> (Just giving him a hard time, of course.  But you can 
:> probably set your watch by the lag between such a question 
:> and the inevitable response...)
:> 
:> -----Original Message-----
:> From: snort-users-admin () lists sourceforge net
:> [mailto:snort-users-admin () lists sourceforge net]On Behalf Of 
:> Matt Kettler
:> Sent: Friday, March 05, 2004 10:43 AM
:> To: Venkata Raghavan; snort-users () lists sourceforge net
:> Subject: Re: [Snort-users] Repost: resp:rst_all not working
:> 
:> 
:> At 04:00 AM 3/5/2004, Venkata Raghavan wrote:
:> >alert tcp any any -> $HOME_NET 25 (msg:"SMTP Rule Testing";
:> >flow:to_server,established; content:"test"; nocase;resp: rst_all;)
:> >After this, when I lauch an telnet (port 25) session to an 
:> SMTP server 
:> >from my  windows client, the alert gets generated. But there is no
:> reset. 
:> >Then I tried the
:> >telnet from a linux PC - this time it gets reset.
:> >WHen I check the packets sent using ethereal, I observe that whereas
:> from 
:> >a windows PC the data "test" comes as four packets, from a linux PC
:> "test" 
:> >comes as a data of
:> >single packet. I guess this is a problem with the WinXP version of
:> >Telnet  client.
:> 
:> None of this is a problem in a telnet client Technicaly the 
:> windows XP one 
:> is doing the right thing and disabling nagle..
:> 
:> The reason it's "not working" is you're just unaware of the 
:> limitations of 
:> tcp resets.
:> 
:> 1) tcp reset is a race between snort and the host that you 
:> aren't sending a 
:> reset to. Whoever gets the packet to the host snort is 
:> trying to reset wins 
:> the race.
:> 
:> 2) flexresp is only likely to win this race if there's a significant 
:> latency somewhere between the hosts you are desynchronizing. 
:>  tcp resets
:> 
:> work VERY poorly within a lan.
:> 
:> 3) It's pointless to send resets to an attacker. If they are 
:> smart, they'll 
:> be filtering them. Reset your local server or client 
:> instead. Rst_all 
:> doesn't hurt, but realize that the one sent to the attack 
:> originator won't 
:> do much good unless the attacker is automated or stupid.
:> 
:> 4) Smart attackers can generally evade flexresp by cheating 
:> and starting
:> 
:> the race early. non-nagled tcp connections (ie: telnet) are 
:> actually likely 
:> to evade it by the natural patterns of their traffic. 
:> Flexresp2 makes this 
:> harder, and will generally deal with nagle issues, but a 
:> clever attacker
:> 
:> can still have some chance of winning regardless.
:> 
:> 
:> 
:> 
:> 
:> 
:> 
:> 
:> 
:> 
:> -------------------------------------------------------
:> This SF.Net email is sponsored by: IBM Linux Tutorials
:> Free Linux tutorial presented by Daniel Robbins, President 
:> and CEO of GenToo technologies. Learn everything from 
:> fundamentals to system 
:> administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click
:> _______________________________________________
:> Snort-users mailing list
:> Snort-users () lists sourceforge net
:> Go to this URL to change user options or unsubscribe: 
:> :> https://lists.sourceforge.net/lists/listinfo/sno:> rt-users
:> 
:> 
:> Snort-users list archive: 
:> http://www.geocrawler.com/redir-sf.php3?list=snort-users
:> 
:> 
:> -------------------------------------------------------
:> This SF.Net email is sponsored by: IBM Linux Tutorials
:> Free Linux tutorial presented by Daniel Robbins, President 
:> and CEO of GenToo technologies. Learn everything from 
:> fundamentals to system 
:> administration.http://ads.osdn.com/?ad_id70&alloc_id638&opLk
:> _______________________________________________
:> Snort-users mailing list
:> Snort-users () lists sourceforge net
:> Go to this URL to change user options or unsubscribe: 
:> :> https://lists.sourceforge.net/lists/listinfo/sno:> rt-users
:> 
:> 
:> Snort-users list archive: 
:> http://www.geocrawler.com/redir-sf.php3?list



-------------------------------------------------------
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70&alloc_id638&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: