[Snort-users] stream5 reassembly and split-tcp handshaking

Kungu Panda kungupanda at ...11827...
Mon Apr 25 13:55:59 EDT 2011


There has been a lot of press recently regarding exploits using tcp
split handshaking to evading IDS/IPS solutions:
     https://www.nsslabs.com/research/network-security/firewall-ngfw/network-firewall-group-test-q2-2011.html
     http://www.networkworld.com/news/2011/041211-hacker-exploit-firewalls.html
     http://nmap.org/misc/split-handshake.pdf

Questions:
   (a)  How does snort/stream5 handle split-tcp handshakes ?
   (b)  Does snort maintain correct flow directionality when
reassembling split-tcp sessions ?
   (c)  Are there signatures to detect attempts to establish split-tcp
connections ?

Thanks,
KPanda




More information about the Snort-users mailing list