[Snort-users] TCP Reset

michael.porter at ...1284... michael.porter at ...1284...
Sun May 20 13:11:47 EDT 2001


>>Can the RST packet from Snort -which comes after the attack packet(s) 
- 
>>actually nullify the effect of the payload? Doesn't the server socket 
>>pass the payload to the application, before it handles the reset? Or am 
I 
>>getting something wrong here? Has anybody actually succeeded RST-ing a 
buffer 
>>overflow? 

>The question is...how large is the buffer? It's a race. If the buffer is 
>large enough (spanning multiple packets), the RST has the potential of 
>occuring before the actual overflow occurs. 


This is interesting: if it's a race between the attacker and the IDS, then 
I guess the packet size is what counts. Since packets of size 1500 bytes 
are not uncommon, I guess few buffer overflows will be effectively 'killed' 
by the RST. Is this also an argument against using the IDS as an 'active 
direct response' to attacks?


Free, encrypted, secure Web-based email at www.hushmail.com


More information about the Snort-users mailing list