Re: firestorm question

[rmkml <rmkml@xxxxxxxxxx>]

How track tcp session and if session is not full open (Syn-SynAck-Ack) and my
box send tcp Reset ...

More complicated in udp proto ....

Regard.

PS: Sorry for my bad speak English.



Greg Sheard wrote:

> On Tue, 2003-03-25 at 16:55, Gianni Tedesco wrote:
> > On Tue, 2003-03-25 at 16:34, rmkml wrote:
> > > If an attacker send tcp Syn to me,
> > >
> > > If my box respond automaticaly tcp Reset,
> >
> > alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"RST"; flags:R;)
> >
> > > and other,
> > > If an attacker send udp to me,
> > > and my box respond automaticaly icmp port unreachable,
> >
> > alert icmp $HOME_NET any -> $EXTERNAL_NET any (msg: "ICMP"; itype: X;
> > icode: Y;)
> >
> > etc...
> >
> > or am i missing something? :)
>
> Won't the first one alert every time a TCP connection is closed by
> either party, so long as one of them is yourself?
>
> Greg.
>
> --
> With searching comes loss
> and the presence of absence
> "My Novel" not found
>
>   ------------------------------------------------------------------------
>                        Name: signature.asc
>    signature.asc       Type: application/pgp-signature
>                 Description: This is a digitally signed message part