[Snort-users] Detecting TCP session without data after three-way handshake

Willst Mail willstmail at ...11827...
Wed Nov 2 19:38:43 EDT 2011


Hello,
Here's a theoretical question for you.  I'm wondering if Snort can
realistically identify sessions in which a three-way TCP handshake is
established but then no data is requested by the client or sent by the
server.  In other words, two endpoints do their SYN, SYN/ACK, ACK
exchange, then the connection is terminated, gracefully or otherwise,
either immediately or after a period of time, and with no other
communication between the endpoints during that session.  I can review
firewall logs to find sessions with very little data transferred,
which could help, but I was wondering if anyone has ideas about how to
identify these types of sessions with Snort.

I'm going to cross-post this between the Google group and SourceForge
mailing list to see if any smart people want to chime in.

Thanks!

-w




More information about the Snort-users mailing list