[Snort-users] TCP Reset

Lampe, John W. JWLAMPE at ...1612...
Sat May 19 21:02:48 EDT 2001


>What does the group think of the benefits of killing TCP connections, as
>available in FLEXRESP, or even the Tcpkill feature in ISS Realsecure?
>From what I've understood so far, it's effective against DoS attacks
>SYN-Flood, and of limited value against buffer overflow attacks; 

It's useless (in some instances, more than useless) against SYN-floods, and
of limited value against buffer overflows.   

>could be abused by the attacker too.
>Since the 'Reset' is sent after the attack packet reaches the host, can 
>it actually prevent the buffer overflow? 

Yes, as long as the snort engine can note the signature (shellcode, NOP's,
whatever) and RST the connection before the payload has been delivered.  

>Now, if the malicious code that
>gets executed adds a new account (say), wouldn't killing the connection 
>after the event be quite wasted?


>Free, encrypted, secure Web-based email at www.hushmail.com

John Lampe

More information about the Snort-users mailing list