[Snort-users] Re: TCP Resets

Gary Flynn flynngn at ...6811...
Sat Feb 28 21:13:03 EST 2004


One more consideration. If you're running something inline
and you drop a packet, you have to consider the effects on
the overlying application.

For example, an SMTP server sending a virus in the middle of
a set of messages may queue up messages behind the failed
transmission.

Not only that, if worm activity is heavy you better drop
the server connection after you drop the packet. Doing
otherwise does bad things due to a bunch of half-open
connections on the receiving server. I speak from a
bad experience on that one. :)

As someone told me on another list, that is the price one pays
when one tries to address an application problem at the
network layer.






More information about the Snort-users mailing list