[Snort-users] Detecting TCP session without data after three-way handshake
edwardfjellskaal at ...11827...
Thu Nov 3 06:56:13 EDT 2011
On 11/03/2011 12:38 AM, Willst Mail wrote:
> Here's a theoretical question for you. I'm wondering if Snort can
> realistically identify sessions in which a three-way TCP handshake is
> established but then no data is requested by the client or sent by the
> server. In other words, two endpoints do their SYN, SYN/ACK, ACK
> exchange, then the connection is terminated, gracefully or otherwise,
> either immediately or after a period of time, and with no other
> communication between the endpoints during that session. I can review
> firewall logs to find sessions with very little data transferred,
> which could help, but I was wondering if anyone has ideas about how to
> identify these types of sessions with Snort.
> I'm going to cross-post this between the Google group and SourceForge
> mailing list to see if any smart people want to chime in.
I have been doing similar test for a while with snort and suricata.
Which lead me to a feature request for suricata.
I took the liberty to update the feature request today (on the thoughts
that you have, that was my initially reason to make a feature request),
and may snort-devel also consider it as a feature request to snort :)
Today, I have been somewhat successful using (many) flowbits, but
writing such rules (the way I do) sucks the juice out of snort.
The suricata and its flowint (
has helped, as I can write the same rule, without the bad performance
impact of these crazy rules of mine :)
You might be able to do what you want writing a preprocessor :) but that
might be a bit harder than writing a rule.
Any feedback on my feature request would be awesome :P
More information about the Snort-users