[Snort-users] TCP Reset

michael.porter at ...1284... michael.porter at ...1284...
Sun May 20 09:57:26 EDT 2001


Two follow-up questions on the effectiveness of TCP Reset.

In an earlier mail John Lampe wrote:
>It's useless (in some instances, more than useless) against SYN-floods,
 

Do you mean that TCP Reset can actually cause potential damage during some 
SYN Floods? Could you explain?

	>>can it actually prevent the buffer overflow? 
>Yes, as long as the snort engine can note the signature (shellcode, NOP's,
>whatever) and RST the connection before the payload has been delivered. 
 

Can the RST packet from Snort -which comes after the attack packet(s) - 
actually nullify the effect of the payload? Doesn't the server socket pass 
the payload to the application, before it handles the reset? Or am I getting 
something wrong here? Has anybody actually succeeded RST-ing a buffer overflow?


Thanks,

Michael





Free, encrypted, secure Web-based email at www.hushmail.com


More information about the Snort-users mailing list