[Snort-devel] Stream5: RST handling + 'STREAM5_BAD_RST' alert

Bram bram-fabeg at ...3414...
Thu Sep 19 16:50:06 EDT 2013


>>
>> In my opinion the 'STREAM5_BAD_RST' alert should only be produced when the
>> sequence in the packet is actually invalid according to the TCP RFC (=
>> outside the TCP window).
>> If the host chooses to ignore RFC-valid RST packets (which is/could be the
>> case for windows) then it should show a different alert.
>>
>> Currently it uses the same alert for both which makes it less useful...
>>
>> Linking it back to the example above:
>>
>> For: 'other > windows: seq = 220, RST flag set' I do not expect
>> 'STREAM5_BAD_RST' but something similar to 'STREAM5_RST_IGNORED_BY_HOST'
>> For: 'other > windows: seq = 2200000000, RST flag set' I expect
>> 'STREAM5_BAD_RST' because the sequence is completely outside the TCP window
>>
>> Does this makes sense to you?
>>
>
> Sure, but in both cases the RST is ignored by the receiving host.

That is correct but there is a major difference in what it means and  
what actions should/need to be taken..

When these are split into two rules then there is a clear distinction  
(and it allows to enable/disable one of the rules).

If the RST packet is RFC-valid but ignored by the receiving host then  
there is nothing abnormal.
The host sending the RST packet is RFC complaint, the host receiving  
it isn't but that's not an anomaly (IMO).

If the RST packet is not RFC-valid then there is an anomaly which  
could/should be investigated.
It could - for example - mean someone is attempting to cause a Denial  
of Service by sending RST packets and guessing the sequence numbers in  
it.

Currently there is no way to differentiate between the two which  
seriously reduces the usability of the rule.


Best regards,

Bram



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.





More information about the Snort-devel mailing list