[Snort-devel] Stream5: Missing TCP connections with require_3whs

Lothar Braun lothar at ...3002...
Thu Jan 8 08:10:42 EST 2009


Hi all,

I noticed that snort-2.8.3.1 does not recognize all possible TCP
connections when require_3whs is enabled for the Stream5 preprocessor.

A connection is missed if the TCP-Handshake packets (especially the
SYN-Pakets) have the ECN- or CWR-Flag set. This is due to stream5 only
checking for p->tcph->th_flags == TH_SYN, which is false if TH_SYN
_and_ TH_ECN are set.

I've created a patch against snort-2.8.3.1 (see attachment) that fixes
the problem.

Best regards,
  Lothar
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: snortpatch.diff
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20090108/a193a8dc/attachment.ksh>


More information about the Snort-devel mailing list