[Snort-users] T/TCP resources -- answer for Andy Wood
richard_bejtlich at ...131...
Thu May 1 16:46:03 EDT 2003
Lots of people have mentioned how to disable T/TCP in
Snort, but no one mentioned what it is -- so far as my
search of the list archives goes. :)
T/TCP recognizes that many sessions are
request-response, like HTTP, so T/TCP tries to
minimize overhead. For example, the client sends a
SYN/request/FIN in one packet. The server sends its
SYN/ACK/response/FIN, and the session concludes with
the client ACKing the server's FIN.
For those who want more than my simplistic rendition
of the protocol, see RFC 1379
Other resources include:
T/TCP home page:
1998 Phrack Article by Route:
As for why you're seeing so much traffic which matches
Snort's T/TCP checking code, I'd have to see some raw
captures to analyzing what's happening.
richard at taosecurity dot com
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
More information about the Snort-users