Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security ISSForum
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [ISSForum] DROP:Connection response is not supported

from [Palmer, Paul \(ISSAtlanta\)] Network Security [Permanent Link]
Subject: RE: [ISSForum] DROP:Connection response is not supported
Date: Thu, 7 Apr 2005 12:39:51 -0400 
Javier,

The TCP probe signatures trigger on one of two different algorithms. If
a TCP SYN is sent to a real system that does not have a service on the
port being probed, the system will send back a TCP RST. We will detect
that RST and issue one of various TCP probe signatures. In this
situation, "drop connection" has some meaning and there is no problem.

The second way that TCP probe signatures can trigger is if a TCP SYN
packet is sent to a system that does not exist (or if there is an
intervening firewall that is filtering such packets). In this case,
there is no response to the SYN packet and the sensor will eventually
recognize that the SYN packet has gone unanswered for an extended period
of time and trigger an appropriate probe event. It is very likely that
the sensor isn't even processing packets at the exact moment that it
decides that the SYN will never be answered. In this case, there is no
connection to block. The sensor logs the messages you have seen to
report that it could not implement your wishes.

I hope this helps.

Paul

-----Original Message-----
From: issforum-bounces@atla-mm1.iss.net On Behalf Of Javier Reyna
Padilla
Sent: Wednesday, April 06, 2005 2:35 PM
To: issforum@atla-mm1.iss.net
Subject: [ISSForum] DROP:Connection response is not supported


Hello, I am new in the list, an I have a little question, I have a 
Proventia G100, I derive and edit a new policy from Attacks and Audits, 
Im blocking some signatures like TCP_Probe_Trojan, TCP_Probe_Other, and 
select the drop connection o connectionwith reset... I see a lot of 
these messages on /var/log/messages

Do you know if theres is dcumentation for specific drop configuration 
for signatures? Or how do I block these signatures?

Apr  6 09:21:05 djinn packetlib[698]: (djinn) - DROP:Connection response

is not supported for TCP_Probe_POP3 event
Apr  6 09:34:26 djinn packetlib[698]: (djinn) - DROP:ConnectionWithReset

response is not supported for TCP_Probe_Other event
Apr  6 09:41:44 djinn packetlib[698]: (djinn) - DROP:Connection response

is not supported for TCP_Probe_Trojan event


Regards!

-- 
Saludos


------------------------------
Javier Reyna Padilla

Depto. de Seguridad
Onlinet S.A. de C.V.
Oficina: 5586-2613 Ext: 112
Cel: 04455-19236928
http://www.onlinet.com.mx
------------------------------

_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net

The ISSForum mailing list is hosted and managed by Internet Security
Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.

_______________________________________________
ISSForum mailing list
ISSForum@iss.net

TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to 
https://atla-mm1.iss.net/mailman/listinfo/issforum

To contact the ISSForum Moderator, send email to mod-issforum@iss.net

The ISSForum mailing list is hosted and managed by Internet Security Systems, 
6303 Barfield Road, Atlanta, Georgia, USA 30328.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: [ISSForum] Internet Scanner SP2 problems, Soldatov Sergey V.
Next by Date:  [ISSForum] Jabber, Soldatov Sergey V.
Previous by Thread:  [ISSForum] DROP:Connection response is not supported, Javier Reyna Padilla
Next by Thread:  [ISSForum] Jabber, Soldatov Sergey V.
Indexes:  [Date] [Thread] [Top] [All Lists]