Hosting Provided By

RE: Active response... some thoughts.

From: Garbrecht, Frederick <FGarbrecht(at)ecogchair.org>
Date: Tue Jan 28 2003 - 11:31:18 EST

ummmm, just a technical quibble, but a TCP reset wouldn't work with the Sapphire worm because it propagates using UDP as transport, not TCP.....

Frederick Garbrecht, M.D., GSEC
Coalition of National Cancer Cooperative Groups

-----Original Message-----
From: Kohlenberg, Toby [mailto:toby.kohlenberg@intel.com] Sent: Monday, January 27, 2003 8:27 PM
To: mb_lima; RLos@enteredge.com
Cc: detmar.liesen@lds.nrw.de; abegetchell@qx.net; focus-ids@securityfocus.com
Subject: RE: Active response... some thoughts.

> -----Original Message-----

Actually, TCP resets don't work in many cases- for instance any situation where you have a single packet exploit (say the Saphire worm that just ran through the Net)... This is the same problem that router/firewall reconfiguration has- by the time the response happens, the compromise is done.

toby Received on Tue Jan 28 11:52:43 2003

This message: [ Message body ]
Next message: Jason Beauford: "WINDUMP SYNTAX ASSISTANCE....."
Previous message: Jordan K Wiens: "Re: NetScreen IDS (X-post)"
Maybe in reply to: Abe L. Getchell: "Active response... some thoughts."
In reply to Kohlenberg, Toby: "RE: Active response... some thoughts."
Next in thread: Todd Heberlein: "Re: Active response... some thoughts."
Reply: Todd Heberlein: "Re: Active response... some thoughts."
Reply: Frank Knobbe: "RE: Active response... some thoughts."
Reply: Brian Laing: "RE: Active response... some thoughts."

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:06 EDT