Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



IDS: Re: Network hardware IPS

Re: Network hardware IPS

From: Alvin Wong <alvin.wong_at_b2b.com.my>
Date: 02 Oct 2003 11:25:26 +0800

Thanks for the information, Cory, that was really insightful.

Regards,
Alvin

On Wed, 2003-10-01 at 00:52, Cory Stoker wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Alvin Wong wrote:
>
> <snip>
>
> |
> |Also, my question to any is the following
> |"One note of caution on TCP Reset is not a preferred method of blocking
> |attacks according to some security experts. " Alan Shimel
> |
> |Why isn't TCP reset a preferred method of blocking?
> |
> |Regards,
> |Alvin
> |
> <snip>
>
> Hi:
>
> The main reason that TCP resets are not a preferred method of blocking
> is it is not Guaranteed to be successful. I quote below:
>
> " In our tests, snort (v 1.8.4 and beta v. 1.9.1) does not always kill
> the HTTP connection using the RST and/or ICMPs. In most of the cases
> connection is reset and sometimes it remains running and the file (dummy
> " cmd.exe" placed on Apache web server) is successfully downloaded. The
> possible explanation is that RST arrives too late for the connection to
> be reset since the response from server comes earlier with the right
> sequence number. The delayed RST is then discarded. Thus RST/ICMP is not
> a reliable security mechanism (exactly as claimed in the snort
> documentation)." -- Anton Chuvakin, Ph.D.
>
> Also many attacks are too short for a TCP reset to be effective or the
> attacker could change his IP stack to disregard the TCP reset.
>
> Thanks,
> - --
>
> Cory Stoker
> Security Engineer
> Latis Networks, Inc.
>
> www.stillsecure.com
> Reducing your risk has never been this easy
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQE/ebS7I1eg/VOfA8oRAgkgAJ0SYnU+qN7/VOWBSWEMabYY3LET1ACaAnbr
> VAOjkGF7vl3cmy9wy0XrU4Y=
> =ys9M
> -----END PGP SIGNATURE-----
>
>

---------------------------------------------------------------------------
Captus Networks IPS 4000
Intrusion Prevention and Traffic Shaping Technology to:
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Precisely Define and Implement Network Security & Performance Policies
FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
http://www.securityfocus.com/sponsor/CaptusNetworks_focus-ids_000101
---------------------------------------------------------------------------
Received on Oct 02 2003

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos