[Bro] RST handling

Adayadil Thomas adayadil.thomas at gmail.com
Sun Aug 12 19:45:09 PDT 2007


Greetings.

I have a general TCP RST handling question.

Assuming the state of a connection is established, and data has been
transferred to and fro
and then the server sends a RST packet (or two) [1] to the client and
the session ends soon after.

>From an IDS/IPS standpoint,
- should the session be transitioned to closed upon seeing the first RST ?
- if not, is the session marked as SEEN_RST or something and timed out ?

>From an IPS point of view (which does not allow stateless traffic)
knowing when to remove the connection is critical. is'nt it ?

I would like to know from bro standpoint and in general.


Thanks a lot for any information/viewpoint.

-Ashley

[1] Why does the server send two RST as in the example below --

15:47:05.990438 192.168.0.1.8080 > 192.168.1.1.46615: R 1:1(0) ack
10500305 win 32768 <nop,nop,timestamp 44983385 1113850335> (DF)
15:47:05.990499 192.168.0.1.8080 > 192.168.1.1.46615: R
4223569903:4223569903(0) win 0 (DF)



More information about the Bro mailing list