[Snort-users] TCP Portals: The Handshake's a Lie!
cunningpike at ...11827...
Fri Nov 20 12:25:02 EST 2009
I can provide the server - but would need a little hand-holding to make sure
it was replicating this behavior properly. Perhaps a netcat listener of some
On Fri, Nov 20, 2009 at 8:12 AM, Jason Brvenik <jasonb at ...1935...>wrote:
> My casual read on it was that you would have to be dealing with a
> malicious server which deliberately responds to a syn with a syn and
> that the likelihood of that is not the greatest. If it does happen the
> server is going to be doing a lot of other more malicious things. My
> presumptions are:
> - An inbound SYN that is not acknowledging a syn at the same time is
> going to be blocked by firewalls if properly configured.
> - Even a properly configured border router will be blocking inbound
> syn only for non-services ports.
> - Any attack relying on local segment access that is a concern means
> that you have already failed.
> Who would like to provide a server on the net so that people can test
> their devices in a full life cycle test? Simple web page returned that
> says "It Worked!" would suffice.
> On Tue, Nov 17, 2009 at 3:37 PM, Martin Roesch <roesch at ...1935...>
> > On Tue, Nov 17, 2009 at 3:11 PM, CunningPike <cunningpike at ...11827...>
> >> I haven't seen much commentary on this:
> >> Do any of the snort sigs or preprocessors rely on a SYN/ACK packet for
> >> and/or flow?
> > Hi there,
> > Stream5 handles the TCP handshaking for the system, I don't think that
> > anything else in the codebase cares about the TWH. I'd have to read the
> > code and maybe turn on the debug statements to understand the full
> effect, I
> > know at least some of the state handling handles the SYNs and ACKs
> > separately but there could be issues with things like midstream pickups
> > so on.
> > Marty
> > --
> > Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
> > Sourcefire - Security for the Real World - http://www.sourcefire.com
> > Snort: Open Source IDP - http://www.snort.org
> > Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> > trial. Simplify your report design, integration and deployment - and
> > on
> > what you do best, core application coding. Discover what's new with
> > Crystal Reports now. http://p.sf.net/sfu/bobj-july
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users