[Snort-users] stream5 reassembly and split-tcp handshaking

Kungu Panda kungupanda at ...11827...
Wed Apr 27 10:42:22 EDT 2011


Thank you.  That blog posting nailed it.


On Wed, Apr 27, 2011 at 12:39 PM, Joel Esler <jesler at ...1935...> wrote:
> We wrote about this in December of 2009.
> http://vrt-blog.snort.org/2009/12/require3whs-and-mystery-of-four-way.html
>
> On Mon, Apr 25, 2011 at 1:55 PM, Kungu Panda <kungupanda at ...11827...> wrote:
>>
>> There has been a lot of press recently regarding exploits using tcp
>> split handshaking to evading IDS/IPS solutions:
>>
>> https://www.nsslabs.com/research/network-security/firewall-ngfw/network-firewall-group-test-q2-2011.html
>>
>> http://www.networkworld.com/news/2011/041211-hacker-exploit-firewalls.html
>>     http://nmap.org/misc/split-handshake.pdf
>>
>> Questions:
>>   (a)  How does snort/stream5 handle split-tcp handshakes ?
>>   (b)  Does snort maintain correct flow directionality when
>> reassembling split-tcp sessions ?
>>   (c)  Are there signatures to detect attempts to establish split-tcp
>> connections ?
>>
>> Thanks,
>> KPanda
>>
>>
>> ------------------------------------------------------------------------------
>> WhatsUp Gold - Download Free Network Management Software
>> The most intuitive, comprehensive, and cost-effective network
>> management toolset available today.  Delivers lowest initial
>> acquisition cost and overall TCO of any competing solution.
>> http://p.sf.net/sfu/whatsupgold-sd
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>




More information about the Snort-users mailing list