[Snort-users] TCP Resets

Josh Berry josh.berry at ...10221...
Fri Feb 27 18:26:02 EST 2004


So where would it be practical to use resets outside of policy issues like
P2P, Chat, Websites, and possibly Trojans/Backdoors?


>
> --- Josh Berry <josh.berry at ...10221...> wrote:
>> I am trying to assess the value of using TCP Resets on Exploit
>> attacks
>> over TCP such as Blaster and Code Red.  It seems as though
>> trying to reset
>> these types of connections will just double the amount of
>> network traffic
>> while not stopping the exploit.  Won't the reset reach the
>> machine too
>> late as the IDS is reacting just after the connection is seen?
>>
>> Is there only value for doing this if the exploit can be
>> spotted in the
>> initial SYN but the actual malicious content is contained in
>> the Data
>> portion after the 3-way-handshake.
>>
>> Correct me anywhere that I am wrong.
>>
>
> That is a band-aid.  The core problem is the infected host.
> Aside from double the traffic it does nothing to fix the core
> problem, just the symptom.  If snort is not inline it may get
> bogged down enough to let a payload pass anyway.
>
> =====
> -----------------------------------------------------------
> With a few exceptions, secrecy is deeply incompatible with
> democracy and with science.
>      --Carl Sagan
> -----------------------------------------------------------
>
> __________________________________
> Do you Yahoo!?
> Get better spam protection with Yahoo! Mail.
> http://antispam.yahoo.com/tools
>
>
> -------------------------------------------------------
> SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> Build and deploy apps & Web services for Linux with
> a free DVD software kit from IBM. Click Now!
> http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>







More information about the Snort-users mailing list