Snort mailing list archives
Re: TCP Portals: The Handshake's a Lie!
From: Jason Brvenik <jasonb () sourcefire com>
Date: Fri, 20 Nov 2009 11:12:12 -0500
My casual read on it was that you would have to be dealing with a malicious server which deliberately responds to a syn with a syn and that the likelihood of that is not the greatest. If it does happen the server is going to be doing a lot of other more malicious things. My presumptions are: - An inbound SYN that is not acknowledging a syn at the same time is going to be blocked by firewalls if properly configured. - Even a properly configured border router will be blocking inbound syn only for non-services ports. - Any attack relying on local segment access that is a concern means that you have already failed. Who would like to provide a server on the net so that people can test their devices in a full life cycle test? Simple web page returned that says "It Worked!" would suffice. On Tue, Nov 17, 2009 at 3:37 PM, Martin Roesch <roesch () sourcefire com> wrote:
On Tue, Nov 17, 2009 at 3:11 PM, CunningPike <cunningpike () gmail com> wrote:I haven't seen much commentary on this: http://www.breakingpointsystems.com/community/blog/tcp-portals-the-three-way-handshake-is-a-lie. Do any of the snort sigs or preprocessors rely on a SYN/ACK packet for state and/or flow?Hi there, Stream5 handles the TCP handshaking for the system, I don't think that anything else in the codebase cares about the TWH. I'd have to read the code and maybe turn on the debug statements to understand the full effect, I know at least some of the state handling handles the SYNs and ACKs separately but there could be issues with things like midstream pickups and so on. Marty -- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source IDP - http://www.snort.org ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- TCP Portals: The Handshake's a Lie! CunningPike (Nov 17)
- Re: TCP Portals: The Handshake's a Lie! Martin Roesch (Nov 17)
- Re: TCP Portals: The Handshake's a Lie! Jason Brvenik (Nov 20)
- Re: TCP Portals: The Handshake's a Lie! CunningPike (Nov 20)
- Re: TCP Portals: The Handshake's a Lie! Jason Brvenik (Nov 20)
- Re: TCP Portals: The Handshake's a Lie! Martin Roesch (Nov 20)
- Re: TCP Portals: The Handshake's a Lie! Jason Brvenik (Nov 20)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Frank Knobbe (Nov 23)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Jason Brvenik (Nov 23)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Frank Knobbe (Nov 24)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Jason Brvenik (Nov 24)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Frank Knobbe (Nov 24)
- Re: TCP Portals: The Handshake's a Lie! Martin Roesch (Nov 17)
- Message not available
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Frank Knobbe (Nov 24)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Matt Olney (Dec 01)