Mike,
Although I have not seen your exact scenario before, it is not unusual
for TCP RST packets to contain a "payload" describing the reason that
the connection was terminated. This payload is essentially just an out
of band comment and is not part of the data stream.
Based upon my experience analyzing IDS products, it is very likely that
the IDS is trying to analyze the TCP RST payload as if it were part of
the data transferred on the connection and is becoming confused. I
recommend that you contact your IDS vendor for a fix.
Paul
-----Original Message-----
From: Mike Gibson [mailto:micheal.gibson_at_gmail.com]
Sent: Tuesday, January 10, 2006 11:06 AM
To: focus-ids_at_securityfocus.com
Subject: TCP ACK/RST packets with data in the Reset Cause
Has anyone ever seen TCP RST packets being sent from clients to web
server with a "Reset Cause" containing the HTML that was in the packet
that they are responding to?
For example a browser client is getting a 404 error returned from my
webserver but right after this I am seeing a CP ACK/RST packet from the
client with the 404 HTML in the packet.
When I look at the packet in Ethereal it shows the HTML in a field
called "Reset cause".
These packets are causing my IDS to go nuts.
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
Received on Jan 11 2006
Intro
