[Snort-users] TCP Resets
josh.berry at ...10221...
Fri Feb 27 20:47:03 EST 2004
I currently use snort-inline at the perimeter to do inline blocking. I
was just trying to assess the value (if there is any) of using regular
snort ids with tcp-resets on the internal side of the network.
> twig les wrote:
>> --- Josh Berry <josh.berry at ...10221...> wrote:
>>> I am trying to assess the value of using TCP Resets on Exploit
>>> attacks over TCP such as Blaster and Code Red. It seems as though
>>> trying to reset these types of connections will just double the
>>> amount of network traffic while not stopping the exploit. Won't
>>> the reset reach the machine too late as the IDS is reacting just
>>> after the connection is seen?
>> That is a band-aid. The core problem is the infected host. Aside
>> from double the traffic it does nothing to fix the core problem, just
>> the symptom. If snort is not inline it may get bogged down enough to
>> let a payload pass anyway.
> If you issue an RST (assuming inline):
> * generates return traffic,
> * fakes most scanners into believing port is closed,
> * attacker can rapidly continue their attack/scan
> If you do not issue an RST, but silently drop:
> * no return traffic,
> * attacker must wait for timeout,
> * scanners assume the port is "filtered"
> Inline will indeed not work exactly as expected, the above rules apply
> to strictly inline devices (firewall, iptables, etc).
> SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> Build and deploy apps & Web services for Linux with
> a free DVD software kit from IBM. Click Now!
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
Josh Berry, CISSP
CTO, VP of Product Development
josh.berry at ...10268...
More information about the Snort-users