[Snort-users] TCP Reset
Lampe, John W.
JWLAMPE at ...1612...
Sat May 19 21:02:48 EDT 2001
>What does the group think of the benefits of killing TCP connections, as
>available in FLEXRESP, or even the Tcpkill feature in ISS Realsecure?
>From what I've understood so far, it's effective against DoS attacks
>SYN-Flood, and of limited value against buffer overflow attacks;
It's useless (in some instances, more than useless) against SYN-floods, and
of limited value against buffer overflows.
>could be abused by the attacker too.
>Since the 'Reset' is sent after the attack packet reaches the host, can
>it actually prevent the buffer overflow?
Yes, as long as the snort engine can note the signature (shellcode, NOP's,
whatever) and RST the connection before the payload has been delivered.
>Now, if the malicious code that
>gets executed adds a new account (say), wouldn't killing the connection
>after the event be quite wasted?
>Free, encrypted, secure Web-based email at www.hushmail.com
More information about the Snort-users