We wrote about this in December of 2009.<div><br></div><div><a href="http://vrt-blog.snort.org/2009/12/require3whs-and-mystery-of-four-way.html">http://vrt-blog.snort.org/2009/12/require3whs-and-mystery-of-four-way.html</a></div>
<div><br><br><div class="gmail_quote">On Mon, Apr 25, 2011 at 1:55 PM, Kungu Panda <span dir="ltr"><<a href="mailto:kungupanda@...11827...">kungupanda@...11827...</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
There has been a lot of press recently regarding exploits using tcp<br>
split handshaking to evading IDS/IPS solutions:<br>
     <a href="https://www.nsslabs.com/research/network-security/firewall-ngfw/network-firewall-group-test-q2-2011.html" target="_blank">https://www.nsslabs.com/research/network-security/firewall-ngfw/network-firewall-group-test-q2-2011.html</a><br>

     <a href="http://www.networkworld.com/news/2011/041211-hacker-exploit-firewalls.html" target="_blank">http://www.networkworld.com/news/2011/041211-hacker-exploit-firewalls.html</a><br>
     <a href="http://nmap.org/misc/split-handshake.pdf" target="_blank">http://nmap.org/misc/split-handshake.pdf</a><br>
<br>
Questions:<br>
   (a)  How does snort/stream5 handle split-tcp handshakes ?<br>
   (b)  Does snort maintain correct flow directionality when<br>
reassembling split-tcp sessions ?<br>
   (c)  Are there signatures to detect attempts to establish split-tcp<br>
connections ?<br>
<br>
Thanks,<br>
KPanda<br>
<br>
------------------------------------------------------------------------------<br>
WhatsUp Gold - Download Free Network Management Software<br>
The most intuitive, comprehensive, and cost-effective network<br>
management toolset available today.  Delivers lowest initial<br>
acquisition cost and overall TCO of any competing solution.<br>
<a href="http://p.sf.net/sfu/whatsupgold-sd" target="_blank">http://p.sf.net/sfu/whatsupgold-sd</a><br>
_______________________________________________<br>
Snort-users mailing list<br>
<a href="mailto:Snort-users@lists.sourceforge.net">Snort-users@...4626...ceforge.net</a><br>
Go to this URL to change user options or unsubscribe:<br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>
Snort-users list archive:<br>
<a href="http://www.geocrawler.com/redir-sf.php3?list=snort-users" target="_blank">http://www.geocrawler.com/redir-sf.php3?list=snort-users</a><br>
</blockquote></div><br></div>