[Snort-users] [Emerging-Sigs] TCP Portals: The Handshake's a Lie!

CunningPike cunningpike at ...11827...
Thu Dec 3 15:44:54 EST 2009


On Tue, Dec 1, 2009 at 12:53 PM, Matt Olney <molney at ...1935...> wrote:
> I'd like to close the loop a little on the "4-way handshake" problem.
> We did some preliminary investigation into this and found that it was
> possible to bypass rules using this.  The VRT did the initial testing
> and the case was then passed to the Snort team.  Their testing
> revealed a config change that would ensure that the snort rules would
> alert properly in the face of a malicious server implementing a 4-way
> capable stack.
>
> The modification is to add the following value to your "preprocessor
> stream5_tcp:" line:
>
> require_3whs
>

Terrific work by you and your team, Matt - top marks!

CP




More information about the Snort-users mailing list