Claudia, Proventia A appliances and Proventia G appliances in passive mode inject TCP RST packets when an RSKill response is indicated. That is, they inject packets on the network that will break an existing TCP connection. RSKill does not work for UDP or ICMP based attacks.
Proventia G in inline mode can also inject TCP RST packets to break a TCP connection. However, these appliances will also rewrite TCP connections on the fly in some circumstances to implement the RSKill response. For instance, if you have an RSKill response assigned to an event that triggers on the body of an SMTP e-mail message, the Proventia G will reset the connection to the victim and rewrite the connection to the intruder such that the intruder believes the message has been rejected with a permanent delivery failure. This is very important, since simply injecting a TCP RST packet will cause the intruder to simply attempt to redeliver the same message a short time later for days at a time. Often legitimate messages will queue up behind the hostile message for days until it times out. That is, sending a simple RSKill for SMTP attacks can be a denial of service attack against yourself. In addition, the Proventia G appliances have a "drop packet" response that you can use to drop UDP and ICMP packets (among others). You can think of this as an "RSKill" response that works for those protocols. I hope that helps, Paul -----Original Message----- From: [EMAIL PROTECTED] On Behalf Of Claudia Patricia Prada Sent: Monday, March 07, 2005 4:49 PM Cc: [EMAIL PROTECTED] Subject: [ISSForum] rskill works Hi People I want to know how the rskill ports works on proventias appliance, its mean how to drop the packet by IP add or MAC, over tcp or udp traffic. Thanks Claudia Patricia Prada Guzm�n _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328. _______________________________________________ ISSForum mailing list [email protected] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
