[Snort-devel] Stream5: RST handling + 'STREAM5_BAD_RST' alert
rcombs at ...402...
Mon Sep 23 13:47:57 EDT 2013
On Thu, Sep 19, 2013 at 4:50 PM, Bram <bram-fabeg at ...3414...> wrote:
>>> In my opinion the 'STREAM5_BAD_RST' alert should only be produced when
>>> sequence in the packet is actually invalid according to the TCP RFC (=
>>> outside the TCP window).
>>> If the host chooses to ignore RFC-valid RST packets (which is/could be
>>> case for windows) then it should show a different alert.
>>> Currently it uses the same alert for both which makes it less useful...
>>> Linking it back to the example above:
>>> For: 'other > windows: seq = 220, RST flag set' I do not expect
>>> 'STREAM5_BAD_RST' but something similar to 'STREAM5_RST_IGNORED_BY_HOST'
>>> For: 'other > windows: seq = 2200000000, RST flag set' I expect
>>> 'STREAM5_BAD_RST' because the sequence is completely outside the TCP
>>> Does this makes sense to you?
>> Sure, but in both cases the RST is ignored by the receiving host.
> That is correct but there is a major difference in what it means and what
> actions should/need to be taken..
> When these are split into two rules then there is a clear distinction (and
> it allows to enable/disable one of the rules).
> If the RST packet is RFC-valid but ignored by the receiving host then
> there is nothing abnormal.
> The host sending the RST packet is RFC complaint, the host receiving it
> isn't but that's not an anomaly (IMO).
> If the RST packet is not RFC-valid then there is an anomaly which
> could/should be investigated.
> It could - for example - mean someone is attempting to cause a Denial of
> Service by sending RST packets and guessing the sequence numbers in it.
> I wouldn't interpret an out-of-window RST as non-"RFC-valid". I could be
a prior session or other issue.
> Currently there is no way to differentiate between the two which seriously
> reduces the usability of the rule.
I'll open a bug to look into this.
> Best regards,
> This message was sent using IMP, the Internet Messaging Program.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-devel