[Snort-users] TCP Portals: The Handshake's a Lie!

Martin Roesch roesch at ...1935...
Tue Nov 17 15:37:49 EST 2009

On Tue, Nov 17, 2009 at 3:11 PM, CunningPike <cunningpike at ...11827...> wrote:

> I haven't seen much commentary on this:
> http://www.breakingpointsystems.com/community/blog/tcp-portals-the-three-way-handshake-is-a-lie.
> Do any of the snort sigs or preprocessors rely on a SYN/ACK packet for state
> and/or flow?
Hi there,

Stream5 handles the TCP handshaking for the system, I don't think that
anything else in the codebase cares about the TWH.  I'd have to read the
code and maybe turn on the debug statements to understand the full effect, I
know at least some of the state handling handles the SYNs and ACKs
separately but there could be issues with things like midstream pickups and
so on.


Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20091117/8e3e0e8f/attachment.html>

More information about the Snort-users mailing list