[Snort-users] [Emerging-Sigs] TCP Portals: The Handshake's a Lie!
frank at ...9761...
Tue Nov 24 16:46:51 EST 2009
On Tue, 2009-11-24 at 12:54 -0500, Jason Brvenik wrote:
> > Or systems that run 30 year old TCP stacks :)
> /me thinks if that were the case they would be having problems today.
> my though here is not what should be happening but if a poorly
> designed / implemented system in an effort to accommodate this valid
> behavior might well let ip:80 -> ip:7627 establish a session much like
> a poorly implemented system that doesn't recognize
> SYN/[PSH,URG,ETC...] can establish state with some stacks.
Well, if ipA:80->ipB:7627 is in response to ipB:7627 sending a SYN to
ipA:80, then it would be correct. Note that the SYN doesn't establish
the sessions. You still require an ACK from both sides.
> thanks for the education in flow handling, it was not clear to me :)
Well, I'm glad you learned something ;)
I know you know this. It was for the benefit of other readers. I'd like
to flesh things out so other can visualize what's happening to remain on
"the same page".
> And an IPS has an entirely different set of actions it can take. My
> point here is that if your systems are designed that an attack against
> the IDS using this method is possible ( knowing all of the other
> hurdles ) you have bigger problems.
I'm not aware of other problems though. Except running 30 year old
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 188 bytes
Desc: This is a digitally signed message part
More information about the Snort-users