[Snort-users] [Emerging-Sigs] TCP Portals: The Handshake's a Lie!

Frank Knobbe frank at ...9761...
Tue Nov 24 16:49:37 EST 2009


On Tue, 2009-11-24 at 11:13 -0500, Josh Smith wrote:
>    
> I already did some testing with snort, and sent to cunningpike but 
> didn't hit reply to all.  Here it is so far:
> 
> http://malforge.com/node/20
> 
> Snort was able to detect the "alternate" handshake if I took out 
> http_method, and put in flow:established,from_server.  This was odd, 
> since it should alert on to_server being a GET request.


That should help the Snort crew to narrow things down... unless it's
decided that it's not a problem. And I'm glad to hear that flow: works
properly. Thanks for testing!

-Frank


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 188 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20091124/4d63bc35/attachment.sig>


More information about the Snort-users mailing list