IDS: TCP ACK/RST packets with data in the Reset Cause

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

IDS mailing list archives

TCP ACK/RST packets with data in the Reset Cause

From: Mike Gibson <micheal.gibson () gmail com>
Date: Tue, 10 Jan 2006 11:06:03 -0500

Has anyone ever seen TCP RST packets being sent from clients to web
server with a "Reset Cause" containing the HTML that was in the packet
that they are responding to?

For example a browser client is getting a 404 error returned from my
webserver but right after this I am seeing a CP ACK/RST packet from
the client with the 404 HTML in the packet.

When I look at the packet in Ethereal it shows the HTML in a field
called "Reset cause".

These packets are causing my IDS to go nuts.

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

By Date By Thread

Current thread:

TCP ACK/RST packets with data in the Reset Cause Mike Gibson (Jan 10)
- Re: TCP ACK/RST packets with data in the Reset Cause Mike Frantzen (Jan 11)
- <Possible follow-ups>
- RE: TCP ACK/RST packets with data in the Reset Cause Palmer, Paul (ISSAtlanta) (Jan 11)