Re: [Snort-users] More TCP Reset Questions

At 10:22 AM 3/1/2004, Josh Berry wrote:
>In what situations do users on this list recommend using TCP-Resets, if
>they are recommended at all? So far all I have is policy issues like Chat
>and P2P clients where resets disrupts the operation of the client, is
>there anything else?

Generally speaking, I'd say they are acceptable to use for almost anything
that is clearly not permitted in your network.

Attack sigs with no known FPs, Policy issues, etc are all fine.

However, NEVER rely on tcp resets as your only line of defense against
attacks. Flexresp is a great add-on to your network, but it should not be
used to try to replace a firewall, or a mail-server virus scanner.

In general keep in mind that a skilled attacker is likely to be able to get
past a tcp reset with a few tries at advancing the sequence number.
Flexresp2 makes it harder for the attacker, but given sufficient tries they
will eventually get past it if they know what they are doing. Even an
automated attack which isn't designed to evade flexresp has a small chance
of evading it.

Keeping that limitation in mind will help you avoid the tragic mistake of
over-dependance on flexresp to provide network security. As long as you
realize where it's limits are, feel free to implement it with most any sa
rule that isn't noisy and FP prone.

There's no reason to avoid using tcp resets. There's just reason to avoid
treating them as "solid" protection.




-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users