[Snort-users] TCP Resets

Josh Berry josh.berry at ...10221...
Fri Feb 27 20:47:03 EST 2004


I currently use snort-inline at the perimeter to do inline blocking.  I
was just trying to assess the value (if there is any) of using regular
snort ids with tcp-resets on the internal side of the network.

> twig les wrote:
>> --- Josh Berry <josh.berry at ...10221...> wrote:
>>
>>> I am trying to assess the value of using TCP Resets on Exploit
>>> attacks over TCP such as Blaster and Code Red.  It seems as though
>>> trying to reset these types of connections will just double the
>>> amount of network traffic while not stopping the exploit.  Won't
>>> the reset reach the machine too late as the IDS is reacting just
>>> after the connection is seen?
>
>> That is a band-aid.  The core problem is the infected host. Aside
>> from double the traffic it does nothing to fix the core problem, just
>> the symptom.  If snort is not inline it may get bogged down enough to
>> let a payload pass anyway.
>
> If you issue an RST (assuming inline):
> * generates return traffic,
> * fakes most scanners into believing port is closed,
> * attacker can rapidly continue their attack/scan
>
> If you do not issue an RST, but silently drop:
> * no return traffic,
> * attacker must wait for timeout,
> * scanners assume the port is "filtered"
>
> Inline will indeed not work exactly as expected, the above rules apply
> to strictly inline devices (firewall, iptables, etc).
>
> Jeff
>
>
>
> -------------------------------------------------------
> SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> Build and deploy apps & Web services for Linux with
> a free DVD software kit from IBM. Click Now!
> http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>


Thanks,
Josh Berry, CISSP
CTO, VP of Product Development
LinkNet-Solutions
469-831-8543
josh.berry at ...10268...





More information about the Snort-users mailing list