Re: [Snort-users] More TCP Reset Questions
This is a discussion on Re: [Snort-users] More TCP Reset Questions within the Snort forums, part of the System Security and Security Related category; Correct me if I am wrong but won't TCP resets for attacks like worms just produce more traffic? It ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
03-01-2004
|
|||
|
|||
Re: [Snort-users] More TCP Reset Questions
Correct me if I am wrong but won't TCP resets for attacks like worms just
produce more traffic? It will just multiply the amount of network traffic and will not stop the worm as the reset will not make it until the malicious payload has already hit your server/desktop. This is why it is hard for me to find value in resets except for persistent connection applications like P2P, Chat, Backdoor's, and Trojan's. Thanks > At 10:22 AM 3/1/2004, Josh Berry wrote: >>In what situations do users on this list recommend using TCP-Resets, if >>they are recommended at all? So far all I have is policy issues like >> Chat >>and P2P clients where resets disrupts the operation of the client, is >>there anything else? > > Generally speaking, I'd say they are acceptable to use for almost anything > that is clearly not permitted in your network. > > Attack sigs with no known FPs, Policy issues, etc are all fine. > > However, NEVER rely on tcp resets as your only line of defense against > attacks. Flexresp is a great add-on to your network, but it should not be > used to try to replace a firewall, or a mail-server virus scanner. > > In general keep in mind that a skilled attacker is likely to be able to > get > past a tcp reset with a few tries at advancing the sequence number. > Flexresp2 makes it harder for the attacker, but given sufficient tries > they > will eventually get past it if they know what they are doing. Even an > automated attack which isn't designed to evade flexresp has a small chance > of evading it. > > Keeping that limitation in mind will help you avoid the tragic mistake of > over-dependance on flexresp to provide network security. As long as you > realize where it's limits are, feel free to implement it with most any sa > rule that isn't noisy and FP prone. > > There's no reason to avoid using tcp resets. There's just reason to avoid > treating them as "solid" protection. > > > ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
