[Snort-users] Detecting TCP session without data after three-way handshake

Edward Fjellskål edwardfjellskaal at ...11827...
Thu Nov 3 06:56:13 EDT 2011

On 11/03/2011 12:38 AM, Willst Mail wrote:
> Hello,
> Here's a theoretical question for you.  I'm wondering if Snort can
> realistically identify sessions in which a three-way TCP handshake is
> established but then no data is requested by the client or sent by the
> server.  In other words, two endpoints do their SYN, SYN/ACK, ACK
> exchange, then the connection is terminated, gracefully or otherwise,
> either immediately or after a period of time, and with no other
> communication between the endpoints during that session.  I can review
> firewall logs to find sessions with very little data transferred,
> which could help, but I was wondering if anyone has ideas about how to
> identify these types of sessions with Snort.
> I'm going to cross-post this between the Google group and SourceForge
> mailing list to see if any smart people want to chime in.
> Thanks!
> -w


I have been doing similar test for a while with snort and suricata.
Which lead me to a feature request for suricata.

I took the liberty to update the feature request today (on the thoughts 
that you have, that was my initially reason to make a feature request),
and may snort-devel also consider it as a feature request to snort :)


Today, I have been somewhat successful using (many) flowbits, but 
writing such rules (the way I do) sucks the juice out of snort.
The suricata and its flowint ( 
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Flowint )
has helped, as I can write the same rule, without the bad performance 
impact of these crazy rules of mine :)

You might be able to do what you want writing a preprocessor :) but that 
might be a bit harder than writing a rule.

Any feedback on my feature request would be awesome :P


More information about the Snort-users mailing list