[Snort-users] T/TCP resources -- answer for Andy Wood
andy.wood at ...9040...
Thu May 1 18:33:53 EDT 2003
You may also reference this msg, sent 4/27/2003 @ 5am, for an
From: Richard Bejtlich [mailto:richard_bejtlich at ...131...]
Sent: Thursday, May 01, 2003 6:31 PM
To: snort-users at lists.sourceforge.net
Lots of people have mentioned how to disable T/TCP in Snort, but no one
mentioned what it is -- so far as my search of the list archives goes. :)
T/TCP recognizes that many sessions are
request-response, like HTTP, so T/TCP tries to minimize overhead. For
example, the client sends a SYN/request/FIN in one packet. The server sends
its SYN/ACK/response/FIN, and the session concludes with the client ACKing
the server's FIN.
For those who want more than my simplistic rendition of the protocol, see
RFC 1379 (http://www.faqs.org/rfcs/rfc1379.html).
Other resources include:
T/TCP home page:
1998 Phrack Article by Route:
As for why you're seeing so much traffic which matches Snort's T/TCP
checking code, I'd have to see some raw captures to analyzing what's
richard at taosecurity dot com
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
Snort-users mailing list
Snort-users at lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
Snort-users list archive:
More information about the Snort-users