[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [ISSForum] DROP:Connection response is not supported



Javier,

The TCP probe signatures trigger on one of two different algorithms. If
a TCP SYN is sent to a real system that does not have a service on the
port being probed, the system will send back a TCP RST. We will detect
that RST and issue one of various TCP probe signatures. In this
situation, "drop connection" has some meaning and there is no problem.

The second way that TCP probe signatures can trigger is if a TCP SYN
packet is sent to a system that does not exist (or if there is an
intervening firewall that is filtering such packets). In this case,
there is no response to the SYN packet and the sensor will eventually
recognize that the SYN packet has gone unanswered for an extended period
of time and trigger an appropriate probe event. It is very likely that
the sensor isn't even processing packets at the exact moment that it
decides that the SYN will never be answered. In this case, there is no
connection to block. The sensor logs the messages you have seen to
report that it could not implement your wishes.

I hope this helps.

Paul

-----Original Message-----
From: issforum-bounces@xxxxxxxxxxxxxxxx On Behalf Of Javier Reyna
Padilla
Sent: Wednesday, April 06, 2005 2:35 PM
To: issforum@xxxxxxxxxxxxxxxx
Subject: [ISSForum] DROP:Connection response is not supported


Hello, I am new in the list, an I have a little question, I have a 
Proventia G100, I derive and edit a new policy from Attacks and Audits, 
Im blocking some signatures like TCP_Probe_Trojan, TCP_Probe_Other, and 
select the drop connection o connectionwith reset... I see a lot of 
these messages on /var/log/messages

Do you know if theres is dcumentation for specific drop configuration 
for signatures? Or how do I block these signatures?

Apr  6 09:21:05 djinn packetlib[698]: (djinn) - DROP:Connection response

is not supported for TCP_Probe_POP3 event
Apr  6 09:34:26 djinn packetlib[698]: (djinn) - DROP:ConnectionWithReset

response is not supported for TCP_Probe_Other event
Apr  6 09:41:44 djinn packetlib[698]: (djinn) - DROP:Connection response

is not supported for TCP_Probe_Trojan event


Regards!

-- 
Saludos


------------------------------
Javier Reyna Padilla

Depto. de Seguridad
Onlinet S.A. de C.V.
Oficina: 5586-2613 Ext: 112
Cel: 04455-19236928
http://www.onlinet.com.mx
------------------------------

_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx

The ISSForum mailing list is hosted and managed by Internet Security
Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.

_______________________________________________
ISSForum mailing list
ISSForum@xxxxxxx

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@xxxxxxx

The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.