jeff at ...950...
Wed Mar 27 14:00:04 EST 2002
Bamm Visscher wrote:
> Okay, I think I finally see what you are driving at. Your concern is
> that flex-resp will not be able to kill a connection before it can
> establish a session. While my intent with these rules, is to kill a
> session before any communcations (ie execed commands) can take place.
> So, although snort will alert and attempt to use flex resp to kill the
> connection on the initial syn packet (will flex-resp be able to use the
> ack in the syn/ack to craft a reset?), it won't be successful until it
> gets an (good) ack. This is not a problem since once the session has
> been established and either end tries to send data, the connection will
> be successfully killed. Yes, this will generate multiple alerts, but the
> point of instituting an alert like this is to keep the perp from
> communicating (execing commands etc) with the compromised server. This
> of course all depends (like I said in each post) on the protocol doing
> the "communicating". HTTP is not very reset friendly, while interactive
> services like ssh, telnet, FTP, etc. are.
> BTW, maybe a better rule would use (flags: !RS;).
I'll admit that's a creative solution that may work. Sending a RST in
response to the initial SYN will be ignored but as you mentioned the
RSTs generated in response to ACKing back and forth may actually work.
To anyone using flexresp, I would suggest using rst_all when creating
TCP response rules. Your IDS is likely much closer physically to any
system you're protecting than it is to the attacker and thus the latency
to the server is less than that to the attacker. Also, any attacker
worth his salt can simply configure a firewall he controlls between
himself and the target to simply block TCP RSTs thus making client
session sniping useless. By reseting both sides of a connection there's
a much higher likelyhood of success.
http://jeff.wwti.com (pgp key available)
"Common sense is the collection of prejudices acquired by age eighteen."
- Albert Einstein
More information about the Snort-users