Re: Stream5: RST handling + 'STREAM5_BAD_RST' alert

[Russ Combs <rcombs () sourcefire com>]

On Thu, Sep 19, 2013 at 4:50 PM, Bram <bram-fabeg () mail wizbit be> wrote:

> > > In my opinion the 'STREAM5_BAD_RST' alert should only be produced when
> > > the
> > > sequence in the packet is actually invalid according to the TCP RFC (=
> > > outside the TCP window).
> > > If the host chooses to ignore RFC-valid RST packets (which is/could be
> > > the
> > > case for windows) then it should show a different alert.
> > >
> > > Currently it uses the same alert for both which makes it less useful...
> > >
> > > Linking it back to the example above:
> > >
> > > For: 'other > windows: seq = 220, RST flag set' I do not expect
> > > 'STREAM5_BAD_RST' but something similar to 'STREAM5_RST_IGNORED_BY_HOST'
> > > For: 'other > windows: seq = 2200000000, RST flag set' I expect
> > > 'STREAM5_BAD_RST' because the sequence is completely outside the TCP
> > > window
> > >
> > > Does this makes sense to you?
> > Sure, but in both cases the RST is ignored by the receiving host.
>
> That is correct but there is a major difference in what it means and what
> actions should/need to be taken..
>
> When these are split into two rules then there is a clear distinction (and
> it allows to enable/disable one of the rules).
>
> If the RST packet is RFC-valid but ignored by the receiving host then
> there is nothing abnormal.
> The host sending the RST packet is RFC complaint, the host receiving it
> isn't but that's not an anomaly (IMO).
>
> If the RST packet is not RFC-valid then there is an anomaly which
> could/should be investigated.
> It could - for example - mean someone is attempting to cause a Denial of
> Service by sending RST packets and guessing the sequence numbers in it.
>
> I wouldn't interpret an out-of-window RST as non-"RFC-valid".  I could be
a prior session or other issue.


> Currently there is no way to differentiate between the two which seriously
> reduces the usability of the rule.


I'll open a bug to look into this.


> Best regards,
>
> Bram
>
>
>
> ------------------------------**------------------------------**----
> This message was sent using IMP, the Internet Messaging Program.
------------------------------------------------------------------------------
October Webinars: Code for Performance
Free Intel webinars can help you accelerate application performance.
Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from 
the latest Intel processors and coprocessors. See abstracts and register >
http://pubads.g.doubleclick.net/gampad/clk?id=60133471&iu=/4140/ostg.clktrk

_______________________________________________
Snort-devel mailing list
Snort-devel () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-devel
Archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-devel

Please visit http://blog.snort.org for the latest news about Snort!