[Snort-users] TCP Portals: The Handshake's a Lie!
roesch at ...1935...
Tue Nov 17 15:37:49 EST 2009
On Tue, Nov 17, 2009 at 3:11 PM, CunningPike <cunningpike at ...11827...> wrote:
> I haven't seen much commentary on this:
> Do any of the snort sigs or preprocessors rely on a SYN/ACK packet for state
> and/or flow?
Stream5 handles the TCP handshaking for the system, I don't think that
anything else in the codebase cares about the TWH. I'd have to read the
code and maybe turn on the debug statements to understand the full effect, I
know at least some of the state handling handles the SYNs and ACKs
separately but there could be issues with things like midstream pickups and
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users