RE: TCP Reset

[Frank Knobbe <FKnobbe () KnobbeITS com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> -----Original Message-----
> From: michael.porter () hushmail com
> [mailto:michael.porter () hushmail com] Sent: Saturday, May 19, 2001
> 2:51 PM
>
> What does the group think of the benefits of killing TCP 
> connections, as 
> available in FLEXRESP, or even the Tcpkill feature in ISS
> Realsecure?  


Personally, I don't like it and don't use it. I like to design IDS
implementations in such a way that it is impossible to establish 'a
dialog' with the IDS box from the dirty network. In other words, I
like to have them only being able to sniff traffic, but not send
traffic (using taps and 'read-only' cables). Any management and
communication that the IDS box sends, should occur over a separate,
clean network.

I do like the ability for IDS systems to take an active role and
respond actively (hence my plug-in that reconfigures Chkpt
firewalls). But in this case there is no data sent to the intruder,
the firewall will just filter him out. I don't like sending packets
to someone trying to break into my network.

jmpo (Just my personal opinion)

Regards,
Frank



-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: PGP or S/MIME encrypted email preferred.

iQA/AwUBOwbOPpytSsEygtEFEQITxgCgk6TlGzMEQZYboiZcXbtCFIwg99AAoI06
1kl0QQDk2oRRphJx5KQF+4xa
=Azg4
-----END PGP SIGNATURE-----

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
http://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users