[Snort-users] TCP Portals: The Handshake's a Lie!

CunningPike cunningpike at ...11827...
Fri Nov 20 12:25:02 EST 2009


I can provide the server - but would need a little hand-holding to make sure
it was replicating this behavior properly. Perhaps a netcat listener of some
kind?

CP

On Fri, Nov 20, 2009 at 8:12 AM, Jason Brvenik <jasonb at ...1935...>wrote:

> My casual read on it was that you would have to be dealing with a
> malicious server which deliberately responds to a syn with a syn and
> that the likelihood of that is not the greatest. If it does happen the
> server is going to be doing a lot of other more malicious things. My
> presumptions are:
>
> - An inbound SYN that is not acknowledging a syn at the same time is
> going to be blocked by firewalls if properly configured.
>
> - Even a properly configured border router will be blocking inbound
> syn only for non-services ports.
>
> - Any attack relying on local segment access that is a concern means
> that you have already failed.
>
> Who would like to provide a server on the net so that people can test
> their devices in a full life cycle test? Simple web page returned that
> says "It Worked!" would suffice.
>
> On Tue, Nov 17, 2009 at 3:37 PM, Martin Roesch <roesch at ...1935...>
> wrote:
> > On Tue, Nov 17, 2009 at 3:11 PM, CunningPike <cunningpike at ...11827...>
> wrote:
> >>
> >> I haven't seen much commentary on this:
> >>
> http://www.breakingpointsystems.com/community/blog/tcp-portals-the-three-way-handshake-is-a-lie
> .
> >> Do any of the snort sigs or preprocessors rely on a SYN/ACK packet for
> state
> >> and/or flow?
> >>
> >
> > Hi there,
> >
> > Stream5 handles the TCP handshaking for the system, I don't think that
> > anything else in the codebase cares about the TWH.  I'd have to read the
> > code and maybe turn on the debug statements to understand the full
> effect, I
> > know at least some of the state handling handles the SYNs and ACKs
> > separately but there could be issues with things like midstream pickups
> and
> > so on.
> >
> > Marty
> >
> > --
> > Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
> > Sourcefire - Security for the Real World - http://www.sourcefire.com
> > Snort: Open Source IDP - http://www.snort.org
> >
> >
> ------------------------------------------------------------------------------
> > Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> > trial. Simplify your report design, integration and deployment - and
> focus
> > on
> > what you do best, core application coding. Discover what's new with
> > Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20091120/daad28be/attachment.html>


More information about the Snort-users mailing list