[Snort-users] TCP Portals: The Handshake's a Lie!
jasonb at ...1935...
Fri Nov 20 11:12:12 EST 2009
My casual read on it was that you would have to be dealing with a
malicious server which deliberately responds to a syn with a syn and
that the likelihood of that is not the greatest. If it does happen the
server is going to be doing a lot of other more malicious things. My
- An inbound SYN that is not acknowledging a syn at the same time is
going to be blocked by firewalls if properly configured.
- Even a properly configured border router will be blocking inbound
syn only for non-services ports.
- Any attack relying on local segment access that is a concern means
that you have already failed.
Who would like to provide a server on the net so that people can test
their devices in a full life cycle test? Simple web page returned that
says "It Worked!" would suffice.
On Tue, Nov 17, 2009 at 3:37 PM, Martin Roesch <roesch at ...1935...> wrote:
> On Tue, Nov 17, 2009 at 3:11 PM, CunningPike <cunningpike at ...11827...> wrote:
>> I haven't seen much commentary on this:
>> Do any of the snort sigs or preprocessors rely on a SYN/ACK packet for state
>> and/or flow?
> Hi there,
> Stream5 handles the TCP handshaking for the system, I don't think that
> anything else in the codebase cares about the TWH. I'd have to read the
> code and maybe turn on the debug statements to understand the full effect, I
> know at least some of the state handling handles the SYNs and ACKs
> separately but there could be issues with things like midstream pickups and
> so on.
> Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
> Sourcefire - Security for the Real World - http://www.sourcefire.com
> Snort: Open Source IDP - http://www.snort.org
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
More information about the Snort-users