[Snort-users] TCP Resets

Josh Berry josh.berry at ...10221...
Fri Feb 27 20:47:03 EST 2004

I currently use snort-inline at the perimeter to do inline blocking.  I
was just trying to assess the value (if there is any) of using regular
snort ids with tcp-resets on the internal side of the network.

> twig les wrote:
>> --- Josh Berry <josh.berry at ...10221...> wrote:
>>> I am trying to assess the value of using TCP Resets on Exploit
>>> attacks over TCP such as Blaster and Code Red.  It seems as though
>>> trying to reset these types of connections will just double the
>>> amount of network traffic while not stopping the exploit.  Won't
>>> the reset reach the machine too late as the IDS is reacting just
>>> after the connection is seen?
>> That is a band-aid.  The core problem is the infected host. Aside
>> from double the traffic it does nothing to fix the core problem, just
>> the symptom.  If snort is not inline it may get bogged down enough to
>> let a payload pass anyway.
> If you issue an RST (assuming inline):
> * generates return traffic,
> * fakes most scanners into believing port is closed,
> * attacker can rapidly continue their attack/scan
> If you do not issue an RST, but silently drop:
> * no return traffic,
> * attacker must wait for timeout,
> * scanners assume the port is "filtered"
> Inline will indeed not work exactly as expected, the above rules apply
> to strictly inline devices (firewall, iptables, etc).
> Jeff
> -------------------------------------------------------
> SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> Build and deploy apps & Web services for Linux with
> a free DVD software kit from IBM. Click Now!
> http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

Josh Berry, CISSP
CTO, VP of Product Development
josh.berry at ...10268...

More information about the Snort-users mailing list