Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Stream5: RST handling + 'STREAM5_BAD_RST' alert

From: Bram <bram-fabeg () mail wizbit be>
Date: Thu, 19 Sep 2013 22:50:06 +0200

In my opinion the 'STREAM5_BAD_RST' alert should only be produced when the
sequence in the packet is actually invalid according to the TCP RFC (=
outside the TCP window).
If the host chooses to ignore RFC-valid RST packets (which is/could be the
case for windows) then it should show a different alert.

Currently it uses the same alert for both which makes it less useful...

Linking it back to the example above:

For: 'other > windows: seq = 220, RST flag set' I do not expect
'STREAM5_BAD_RST' but something similar to 'STREAM5_RST_IGNORED_BY_HOST'
For: 'other > windows: seq = 2200000000, RST flag set' I expect
'STREAM5_BAD_RST' because the sequence is completely outside the TCP window

Does this makes sense to you?



Sure, but in both cases the RST is ignored by the receiving host.


That is correct but there is a major difference in what it means and  
what actions should/need to be taken..

When these are split into two rules then there is a clear distinction  
(and it allows to enable/disable one of the rules).

If the RST packet is RFC-valid but ignored by the receiving host then  
there is nothing abnormal.
The host sending the RST packet is RFC complaint, the host receiving  
it isn't but that's not an anomaly (IMO).

If the RST packet is not RFC-valid then there is an anomaly which  
could/should be investigated.
It could - for example - mean someone is attempting to cause a Denial  
of Service by sending RST packets and guessing the sequence numbers in  
it.

Currently there is no way to differentiate between the two which  
seriously reduces the usability of the rule.


Best regards,

Bram



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.


------------------------------------------------------------------------------
LIMITED TIME SALE - Full Year of Microsoft Training For Just $49.99!
1,500+ hours of tutorials including VisualStudio 2012, Windows 8, SharePoint
2013, SQL 2012, MVC 4, more. BEST VALUE: New Multi-Library Power Pack includes
Mobile, Cloud, Java, and UX Design. Lowest price ever! Ends 9/20/13. 
http://pubads.g.doubleclick.net/gampad/clk?id=58041151&iu=/4140/ostg.clktrk
_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!
Previous By Date Next
Previous By Thread Next

Current thread: