Snort mailing list archives
Re: Stream5: RST handling + 'STREAM5_BAD_RST' alert
From: Bram <bram-fabeg () mail wizbit be>
Date: Thu, 19 Sep 2013 22:50:06 +0200
In my opinion the 'STREAM5_BAD_RST' alert should only be produced when the sequence in the packet is actually invalid according to the TCP RFC (= outside the TCP window). If the host chooses to ignore RFC-valid RST packets (which is/could be the case for windows) then it should show a different alert. Currently it uses the same alert for both which makes it less useful... Linking it back to the example above: For: 'other > windows: seq = 220, RST flag set' I do not expect 'STREAM5_BAD_RST' but something similar to 'STREAM5_RST_IGNORED_BY_HOST' For: 'other > windows: seq = 2200000000, RST flag set' I expect 'STREAM5_BAD_RST' because the sequence is completely outside the TCP window Does this makes sense to you?Sure, but in both cases the RST is ignored by the receiving host.
That is correct but there is a major difference in what it means and what actions should/need to be taken.. When these are split into two rules then there is a clear distinction (and it allows to enable/disable one of the rules). If the RST packet is RFC-valid but ignored by the receiving host then there is nothing abnormal. The host sending the RST packet is RFC complaint, the host receiving it isn't but that's not an anomaly (IMO). If the RST packet is not RFC-valid then there is an anomaly which could/should be investigated. It could - for example - mean someone is attempting to cause a Denial of Service by sending RST packets and guessing the sequence numbers in it. Currently there is no way to differentiate between the two which seriously reduces the usability of the rule. Best regards, Bram ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program. ------------------------------------------------------------------------------ LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99! 1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint 2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk _______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Stream5: RST handling + 'STREAM5_BAD_RST' alert Bram (Aug 23)
- Re: Stream5: RST handling + 'STREAM5_BAD_RST' alert Bram (Sep 18)
- Re: Stream5: RST handling + 'STREAM5_BAD_RST' alert Russ Combs (Sep 19)
- Re: Stream5: RST handling + 'STREAM5_BAD_RST' alert Bram (Sep 19)
- Re: Stream5: RST handling + 'STREAM5_BAD_RST' alert Russ Combs (Sep 19)
- Re: Stream5: RST handling + 'STREAM5_BAD_RST' alert Bram (Sep 19)
- Re: Stream5: RST handling + 'STREAM5_BAD_RST' alert Russ Combs (Sep 23)
- Re: Stream5: RST handling + 'STREAM5_BAD_RST' alert Russ Combs (Sep 19)
- Re: Stream5: RST handling + 'STREAM5_BAD_RST' alert Bram (Sep 18)