[Snort-users] TCP Portals: The Handshake's a Lie!

Martin Roesch roesch at ...1935...
Fri Nov 20 13:44:27 EST 2009


You'd probably want to try to modify something like fragroute...


On Fri, Nov 20, 2009 at 1:19 PM, Jason Brvenik <jasonb at ...1935...>wrote:

> I don't think netcat will do it. There needs to be a stack
> modification to do the handshake in this manner or an app that will do
> it while suppressing the existing stack.
>
> I can think of a quick and dirty iptables / libdnet app but don't have
> the time to implement at the moment. Someone could probably do it
> quickly with iptables and scapy too.
>
> On Fri, Nov 20, 2009 at 12:25 PM, CunningPike <cunningpike at ...11827...>
> wrote:
> > I can provide the server - but would need a little hand-holding to make
> sure
> > it was replicating this behavior properly. Perhaps a netcat listener of
> some
> > kind?
> >
> > CP
> >
> > On Fri, Nov 20, 2009 at 8:12 AM, Jason Brvenik <jasonb at ...1935...>
> > wrote:
> >>
> >> My casual read on it was that you would have to be dealing with a
> >> malicious server which deliberately responds to a syn with a syn and
> >> that the likelihood of that is not the greatest. If it does happen the
> >> server is going to be doing a lot of other more malicious things. My
> >> presumptions are:
> >>
> >> - An inbound SYN that is not acknowledging a syn at the same time is
> >> going to be blocked by firewalls if properly configured.
> >>
> >> - Even a properly configured border router will be blocking inbound
> >> syn only for non-services ports.
> >>
> >> - Any attack relying on local segment access that is a concern means
> >> that you have already failed.
> >>
> >> Who would like to provide a server on the net so that people can test
> >> their devices in a full life cycle test? Simple web page returned that
> >> says "It Worked!" would suffice.
> >>
> >> On Tue, Nov 17, 2009 at 3:37 PM, Martin Roesch <roesch at ...1935...>
> >> wrote:
> >> > On Tue, Nov 17, 2009 at 3:11 PM, CunningPike <cunningpike at ...11827...>
> >> > wrote:
> >> >>
> >> >> I haven't seen much commentary on this:
> >> >>
> >> >>
> http://www.breakingpointsystems.com/community/blog/tcp-portals-the-three-way-handshake-is-a-lie
> .
> >> >> Do any of the snort sigs or preprocessors rely on a SYN/ACK packet
> for
> >> >> state
> >> >> and/or flow?
> >> >>
> >> >
> >> > Hi there,
> >> >
> >> > Stream5 handles the TCP handshaking for the system, I don't think that
> >> > anything else in the codebase cares about the TWH.  I'd have to read
> the
> >> > code and maybe turn on the debug statements to understand the full
> >> > effect, I
> >> > know at least some of the state handling handles the SYNs and ACKs
> >> > separately but there could be issues with things like midstream
> pickups
> >> > and
> >> > so on.
> >> >
> >> > Marty
> >> >
> >> > --
> >> > Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
> >> > Sourcefire - Security for the Real World - http://www.sourcefire.com
> >> > Snort: Open Source IDP - http://www.snort.org
> >> >
> >> >
> >> >
> ------------------------------------------------------------------------------
> >> > Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> >> > 30-Day
> >> > trial. Simplify your report design, integration and deployment - and
> >> > focus
> >> > on
> >> > what you do best, core application coding. Discover what's new with
> >> > Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> >> > _______________________________________________
> >> > Snort-users mailing list
> >> > Snort-users at lists.sourceforge.net
> >> > Go to this URL to change user options or unsubscribe:
> >> > https://lists.sourceforge.net/lists/listinfo/snort-users
> >> > Snort-users list archive:
> >> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> >> >
> >
> >
>



-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source IDP - http://www.snort.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20091120/972de484/attachment.html>


More information about the Snort-users mailing list