[Snort-devel] Stream5: RST handling + 'STREAM5_BAD_RST' alert

Russ Combs rcombs at ...402...
Mon Sep 23 13:47:57 EDT 2013


On Thu, Sep 19, 2013 at 4:50 PM, Bram <bram-fabeg at ...3414...> wrote:

>
>>> In my opinion the 'STREAM5_BAD_RST' alert should only be produced when
>>> the
>>> sequence in the packet is actually invalid according to the TCP RFC (=
>>> outside the TCP window).
>>> If the host chooses to ignore RFC-valid RST packets (which is/could be
>>> the
>>> case for windows) then it should show a different alert.
>>>
>>> Currently it uses the same alert for both which makes it less useful...
>>>
>>> Linking it back to the example above:
>>>
>>> For: 'other > windows: seq = 220, RST flag set' I do not expect
>>> 'STREAM5_BAD_RST' but something similar to 'STREAM5_RST_IGNORED_BY_HOST'
>>> For: 'other > windows: seq = 2200000000, RST flag set' I expect
>>> 'STREAM5_BAD_RST' because the sequence is completely outside the TCP
>>> window
>>>
>>> Does this makes sense to you?
>>>
>>>
>> Sure, but in both cases the RST is ignored by the receiving host.
>>
>
> That is correct but there is a major difference in what it means and what
> actions should/need to be taken..
>
> When these are split into two rules then there is a clear distinction (and
> it allows to enable/disable one of the rules).
>
> If the RST packet is RFC-valid but ignored by the receiving host then
> there is nothing abnormal.
> The host sending the RST packet is RFC complaint, the host receiving it
> isn't but that's not an anomaly (IMO).
>
> If the RST packet is not RFC-valid then there is an anomaly which
> could/should be investigated.
> It could - for example - mean someone is attempting to cause a Denial of
> Service by sending RST packets and guessing the sequence numbers in it.
>
> I wouldn't interpret an out-of-window RST as non-"RFC-valid".  I could be
a prior session or other issue.


> Currently there is no way to differentiate between the two which seriously
> reduces the usability of the rule.


I'll open a bug to look into this.


>
>
>
> Best regards,
>
> Bram
>
>
>
> ------------------------------**------------------------------**----
> This message was sent using IMP, the Internet Messaging Program.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20130923/daff3bb3/attachment.html>


More information about the Snort-devel mailing list