[Snort-users] Detecting TCP session without data after three-way handshake
willstmail at ...11827...
Wed Nov 2 19:38:43 EDT 2011
Here's a theoretical question for you. I'm wondering if Snort can
realistically identify sessions in which a three-way TCP handshake is
established but then no data is requested by the client or sent by the
server. In other words, two endpoints do their SYN, SYN/ACK, ACK
exchange, then the connection is terminated, gracefully or otherwise,
either immediately or after a period of time, and with no other
communication between the endpoints during that session. I can review
firewall logs to find sessions with very little data transferred,
which could help, but I was wondering if anyone has ideas about how to
identify these types of sessions with Snort.
I'm going to cross-post this between the Google group and SourceForge
mailing list to see if any smart people want to chime in.
More information about the Snort-users