[Snort-users] TCP Portals: The Handshake's a Lie!

Jason Brvenik jasonb at ...1935...
Fri Nov 20 13:19:36 EST 2009


I don't think netcat will do it. There needs to be a stack
modification to do the handshake in this manner or an app that will do
it while suppressing the existing stack.

I can think of a quick and dirty iptables / libdnet app but don't have
the time to implement at the moment. Someone could probably do it
quickly with iptables and scapy too.

On Fri, Nov 20, 2009 at 12:25 PM, CunningPike <cunningpike at ...11827...> wrote:
> I can provide the server - but would need a little hand-holding to make sure
> it was replicating this behavior properly. Perhaps a netcat listener of some
> kind?
>
> CP
>
> On Fri, Nov 20, 2009 at 8:12 AM, Jason Brvenik <jasonb at ...1935...>
> wrote:
>>
>> My casual read on it was that you would have to be dealing with a
>> malicious server which deliberately responds to a syn with a syn and
>> that the likelihood of that is not the greatest. If it does happen the
>> server is going to be doing a lot of other more malicious things. My
>> presumptions are:
>>
>> - An inbound SYN that is not acknowledging a syn at the same time is
>> going to be blocked by firewalls if properly configured.
>>
>> - Even a properly configured border router will be blocking inbound
>> syn only for non-services ports.
>>
>> - Any attack relying on local segment access that is a concern means
>> that you have already failed.
>>
>> Who would like to provide a server on the net so that people can test
>> their devices in a full life cycle test? Simple web page returned that
>> says "It Worked!" would suffice.
>>
>> On Tue, Nov 17, 2009 at 3:37 PM, Martin Roesch <roesch at ...1935...>
>> wrote:
>> > On Tue, Nov 17, 2009 at 3:11 PM, CunningPike <cunningpike at ...11827...>
>> > wrote:
>> >>
>> >> I haven't seen much commentary on this:
>> >>
>> >> http://www.breakingpointsystems.com/community/blog/tcp-portals-the-three-way-handshake-is-a-lie.
>> >> Do any of the snort sigs or preprocessors rely on a SYN/ACK packet for
>> >> state
>> >> and/or flow?
>> >>
>> >
>> > Hi there,
>> >
>> > Stream5 handles the TCP handshaking for the system, I don't think that
>> > anything else in the codebase cares about the TWH.  I'd have to read the
>> > code and maybe turn on the debug statements to understand the full
>> > effect, I
>> > know at least some of the state handling handles the SYNs and ACKs
>> > separately but there could be issues with things like midstream pickups
>> > and
>> > so on.
>> >
>> > Marty
>> >
>> > --
>> > Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
>> > Sourcefire - Security for the Real World - http://www.sourcefire.com
>> > Snort: Open Source IDP - http://www.snort.org
>> >
>> >
>> > ------------------------------------------------------------------------------
>> > Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>> > 30-Day
>> > trial. Simplify your report design, integration and deployment - and
>> > focus
>> > on
>> > what you do best, core application coding. Discover what's new with
>> > Crystal Reports now.  http://p.sf.net/sfu/bobj-july
>> > _______________________________________________
>> > Snort-users mailing list
>> > Snort-users at lists.sourceforge.net
>> > Go to this URL to change user options or unsubscribe:
>> > https://lists.sourceforge.net/lists/listinfo/snort-users
>> > Snort-users list archive:
>> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
>> >
>
>




More information about the Snort-users mailing list