I've noted an issue in the way that Proventia generates it's RST packets and would like to know if ISS will fix it in the future. A simple test, generating traffic that hits a block rule and capturing the packets, shows that Proventia doesn't calculates the probable initial victim/attacker's TTL, and puts it's own static initial TTL (64) in it's RST packets. While we cannot make the choice of simply drop de "attack" packets (don't sending the RST) anymore, this is a potential problem, because this well known feature shows two important things to the attacker: 1) There's a IDS/IPS in the way! 2) The relative position of IDS/IPS to her victim. Of course we can set Proventia to send it's RSTs through the "RST Port", and connect this port in a "black hole" segment (like a switch that connects nowhere to anywhere), in a way that RSTs never hits their destination. But, I think that it's at least more secure to fake not just the attacker/victim's IPs, but also de TTL! Just for reference, Snort's flexresp2 actually do this job, calculating (guessing) the attacker/victim's TTL and using it to set the appropriate TTL on the RST packets. PS: My test was made using a Proventia G2000 Firmware 1.2 XPU 1.8. Pedro Quintanilha
E-MAIL CONFIDENTIALITY NOTICE This e-mail, and any attachments hereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, any dissemination, distribution or copying of this e-mail, and any attachments hereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify me by e-mail or telephone and permanently delete all copies of this e-mail. _______________________________________________ ISSForum mailing list ISSForum@iss.net TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
