Snort mailing list archives
Re: Stream5: RST handling + 'STREAM5_BAD_RST' alert
From: Russ Combs <rcombs () sourcefire com>
Date: Mon, 23 Sep 2013 13:47:57 -0400
On Thu, Sep 19, 2013 at 4:50 PM, Bram <bram-fabeg () mail wizbit be> wrote:
In my opinion the 'STREAM5_BAD_RST' alert should only be produced when the sequence in the packet is actually invalid according to the TCP RFC (= outside the TCP window). If the host chooses to ignore RFC-valid RST packets (which is/could be the case for windows) then it should show a different alert. Currently it uses the same alert for both which makes it less useful... Linking it back to the example above: For: 'other > windows: seq = 220, RST flag set' I do not expect 'STREAM5_BAD_RST' but something similar to 'STREAM5_RST_IGNORED_BY_HOST' For: 'other > windows: seq = 2200000000, RST flag set' I expect 'STREAM5_BAD_RST' because the sequence is completely outside the TCP window Does this makes sense to you?Sure, but in both cases the RST is ignored by the receiving host.That is correct but there is a major difference in what it means and what actions should/need to be taken.. When these are split into two rules then there is a clear distinction (and it allows to enable/disable one of the rules). If the RST packet is RFC-valid but ignored by the receiving host then there is nothing abnormal. The host sending the RST packet is RFC complaint, the host receiving it isn't but that's not an anomaly (IMO). If the RST packet is not RFC-valid then there is an anomaly which could/should be investigated. It could - for example - mean someone is attempting to cause a Denial of Service by sending RST packets and guessing the sequence numbers in it. I wouldn't interpret an out-of-window RST as non-"RFC-valid". I could be
a prior session or other issue.
Currently there is no way to differentiate between the two which seriously reduces the usability of the rule.
I'll open a bug to look into this.
Best regards, Bram ------------------------------**------------------------------**---- This message was sent using IMP, the Internet Messaging Program.
------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk
_______________________________________________ Snort-devel mailing list Snort-devel () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-devel Archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Stream5: RST handling + 'STREAM5_BAD_RST' alert Bram (Aug 23)
- Re: Stream5: RST handling + 'STREAM5_BAD_RST' alert Bram (Sep 18)
- Re: Stream5: RST handling + 'STREAM5_BAD_RST' alert Russ Combs (Sep 19)
- Re: Stream5: RST handling + 'STREAM5_BAD_RST' alert Bram (Sep 19)
- Re: Stream5: RST handling + 'STREAM5_BAD_RST' alert Russ Combs (Sep 19)
- Re: Stream5: RST handling + 'STREAM5_BAD_RST' alert Bram (Sep 19)
- Re: Stream5: RST handling + 'STREAM5_BAD_RST' alert Russ Combs (Sep 23)
- Re: Stream5: RST handling + 'STREAM5_BAD_RST' alert Russ Combs (Sep 19)
- Re: Stream5: RST handling + 'STREAM5_BAD_RST' alert Bram (Sep 18)