Javier, The TCP probe signatures trigger on one of two different algorithms. If a TCP SYN is sent to a real system that does not have a service on the port being probed, the system will send back a TCP RST. We will detect that RST and issue one of various TCP probe signatures. In this situation, "drop connection" has some meaning and there is no problem.
The second way that TCP probe signatures can trigger is if a TCP SYN packet is sent to a system that does not exist (or if there is an intervening firewall that is filtering such packets). In this case, there is no response to the SYN packet and the sensor will eventually recognize that the SYN packet has gone unanswered for an extended period of time and trigger an appropriate probe event. It is very likely that the sensor isn't even processing packets at the exact moment that it decides that the SYN will never be answered. In this case, there is no connection to block. The sensor logs the messages you have seen to report that it could not implement your wishes. I hope this helps. Paul -----Original Message----- From: [EMAIL PROTECTED] On Behalf Of Javier Reyna Padilla Sent: Wednesday, April 06, 2005 2:35 PM To: [EMAIL PROTECTED] Subject: [ISSForum] DROP:Connection response is not supported Hello, I am new in the list, an I have a little question, I have a Proventia G100, I derive and edit a new policy from Attacks and Audits, Im blocking some signatures like TCP_Probe_Trojan, TCP_Probe_Other, and select the drop connection o connectionwith reset... I see a lot of these messages on /var/log/messages Do you know if theres is dcumentation for specific drop configuration for signatures? Or how do I block these signatures? Apr 6 09:21:05 djinn packetlib[698]: (djinn) - DROP:Connection response is not supported for TCP_Probe_POP3 event Apr 6 09:34:26 djinn packetlib[698]: (djinn) - DROP:ConnectionWithReset response is not supported for TCP_Probe_Other event Apr 6 09:41:44 djinn packetlib[698]: (djinn) - DROP:Connection response is not supported for TCP_Probe_Trojan event Regards! -- Saludos ------------------------------ Javier Reyna Padilla Depto. de Seguridad Onlinet S.A. de C.V. Oficina: 5586-2613 Ext: 112 Cel: 04455-19236928 http://www.onlinet.com.mx ------------------------------ _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
