[Snort-users] [Emerging-Sigs] TCP Portals: The Handshake's a Lie!

Frank Knobbe frank at ...9761...
Tue Nov 24 16:46:51 EST 2009

On Tue, 2009-11-24 at 12:54 -0500, Jason Brvenik wrote:
> > Or systems that run 30 year old TCP stacks :)
> /me thinks if that were the case they would be having problems today.

/me nods

> my though here is not what should be happening but if a poorly
> designed / implemented system in an effort to accommodate this valid
> behavior might well let ip:80 -> ip:7627 establish a session much like
> a poorly implemented system that doesn't recognize
> SYN/[PSH,URG,ETC...] can establish state with some stacks.

Well, if ipA:80->ipB:7627 is in response to ipB:7627 sending a SYN to
ipA:80, then it would be correct. Note that the SYN doesn't establish
the sessions. You still require an ACK from both sides. 

> thanks for the education in flow handling, it was not clear to me :)

Well, I'm glad you learned something ;)

I know you know this. It was for the benefit of other readers. I'd like
to flesh things out so other can visualize what's happening to remain on
"the same page".

> And an IPS has an entirely different set of actions it can take. My
> point here is that if your systems are designed that an attack against
> the IDS using this method is possible ( knowing all of the other
> hurdles ) you have bigger problems.

I'm not aware of other problems though. Except running 30 year old
stuff? :)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 188 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20091124/b8fe7fd9/attachment.sig>

More information about the Snort-users mailing list