[Snort-users] TCP Reset

Frank Knobbe FKnobbe at ...649...
Sat May 19 15:49:18 EDT 2001


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> -----Original Message-----
> From: michael.porter at ...1284...
> [mailto:michael.porter at ...1284...] Sent: Saturday, May 19, 2001
> 2:51 PM
> 
> What does the group think of the benefits of killing TCP 
> connections, as 
> available in FLEXRESP, or even the Tcpkill feature in ISS
> Realsecure?  


Personally, I don't like it and don't use it. I like to design IDS
implementations in such a way that it is impossible to establish 'a
dialog' with the IDS box from the dirty network. In other words, I
like to have them only being able to sniff traffic, but not send
traffic (using taps and 'read-only' cables). Any management and
communication that the IDS box sends, should occur over a separate,
clean network.

I do like the ability for IDS systems to take an active role and
respond actively (hence my plug-in that reconfigures Chkpt
firewalls). But in this case there is no data sent to the intruder,
the firewall will just filter him out. I don't like sending packets
to someone trying to break into my network.

jmpo (Just my personal opinion)

Regards,
Frank



-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME encrypted email preferred.

iQA/AwUBOwbOPpytSsEygtEFEQITxgCgk6TlGzMEQZYboiZcXbtCFIwg99AAoI06
1kl0QQDk2oRRphJx5KQF+4xa
=Azg4
-----END PGP SIGNATURE-----




More information about the Snort-users mailing list