[Snort-users] Dropping Connections

Neil Dickey neil at ...1633...
Fri Mar 23 13:04:35 EST 2001

Joe Barr <warthawg at ...1645...> wrote:

>I was a little surprised not to find rules which reset
>connections in the database, or perhaps even block the
>attacking IP address ala portsentry.
>Is resetting or dropping a connection not considered to
>be the best line of action during an attack? 

In my somewhat-limited experience, these "resets" can sometimes
generate a packet storm depending on what the remote machine is
trying to do to you.  I had a reset going on traffic from a
domain in the former Eastern Bloc because of a series of probes
I had received from it.  One morning I came in and found that
they had tripped my reset rule to the effect that the alert log
was over 39 megs and rapidly growing.  That can cause problems
depending on the space available for your log files, not to
mention the bandwidth taken up by the storm itself.

Resets can be useful, but should be used with care.  It is my
opinion that the user should decide whether or not they are to
be used, and I think it is a good thing that they aren't included
in the publicly-offered rulesets.

There may be others with better-developed opinions on this
than mine, and, if so, I'd like to read them.

Best regards,

Neil Dickey, Ph.D.
Research Associate/Sysop
Geology Department
Northern Illinois University
DeKalb, Illinois

More information about the Snort-users mailing list