|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RE: [ISSForum] DROP:Connection response is not supported
From: Palmer, Paul (ISSAtlanta) (PPalmer
iss.net)
Date: Thu Apr 07 2005 - 11:39:51 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Javier,
The TCP probe signatures trigger on one of two different algorithms. If
a TCP SYN is sent to a real system that does not have a service on the
port being probed, the system will send back a TCP RST. We will detect
that RST and issue one of various TCP probe signatures. In this
situation, "drop connection" has some meaning and there is no problem.
The second way that TCP probe signatures can trigger is if a TCP SYN
packet is sent to a system that does not exist (or if there is an
intervening firewall that is filtering such packets). In this case,
there is no response to the SYN packet and the sensor will eventually
recognize that the SYN packet has gone unanswered for an extended period
of time and trigger an appropriate probe event. It is very likely that
the sensor isn't even processing packets at the exact moment that it
decides that the SYN will never be answered. In this case, there is no
connection to block. The sensor logs the messages you have seen to
report that it could not implement your wishes.
I hope this helps.
Paul
-----Original Message-----
From: issforum-bouncesatla-mm1.iss.net On Behalf Of Javier Reyna
Padilla
Sent: Wednesday, April 06, 2005 2:35 PM
To: issforumatla-mm1.iss.net
Subject: [ISSForum] DROP:Connection response is not supported
Hello, I am new in the list, an I have a little question, I have a
Proventia G100, I derive and edit a new policy from Attacks and Audits,
Im blocking some signatures like TCP_Probe_Trojan, TCP_Probe_Other, and
select the drop connection o connectionwith reset... I see a lot of
these messages on /var/log/messages
Do you know if theres is dcumentation for specific drop configuration
for signatures? Or how do I block these signatures?
Apr 6 09:21:05 djinn packetlib[698]: (djinn) - DROP:Connection response
is not supported for TCP_Probe_POP3 event
Apr 6 09:34:26 djinn packetlib[698]: (djinn) - DROP:ConnectionWithReset
response is not supported for TCP_Probe_Other event
Apr 6 09:41:44 djinn packetlib[698]: (djinn) - DROP:Connection response
is not supported for TCP_Probe_Trojan event
Regards!
--
Saludos
------------------------------
Javier Reyna Padilla
Depto. de Seguridad
Onlinet S.A. de C.V.
Oficina: 5586-2613 Ext: 112
Cel: 04455-19236928
http://www.onlinet.com.mx
------------------------------
_______________________________________________
ISSForum mailing list
ISSForumiss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to mod-issforumiss.net
The ISSForum mailing list is hosted and managed by Internet Security
Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
_______________________________________________
ISSForum mailing list
ISSForumiss.net
TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum
To contact the ISSForum Moderator, send email to mod-issforumiss.net
The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]