![snort logo](/images/snort-logo.png)
Snort mailing list archives
Re: TCP Portals: The Handshake's a Lie!
From: CunningPike <cunningpike () gmail com>
Date: Fri, 20 Nov 2009 09:25:02 -0800
I can provide the server - but would need a little hand-holding to make sure it was replicating this behavior properly. Perhaps a netcat listener of some kind? CP On Fri, Nov 20, 2009 at 8:12 AM, Jason Brvenik <jasonb () sourcefire com>wrote:
My casual read on it was that you would have to be dealing with a malicious server which deliberately responds to a syn with a syn and that the likelihood of that is not the greatest. If it does happen the server is going to be doing a lot of other more malicious things. My presumptions are: - An inbound SYN that is not acknowledging a syn at the same time is going to be blocked by firewalls if properly configured. - Even a properly configured border router will be blocking inbound syn only for non-services ports. - Any attack relying on local segment access that is a concern means that you have already failed. Who would like to provide a server on the net so that people can test their devices in a full life cycle test? Simple web page returned that says "It Worked!" would suffice. On Tue, Nov 17, 2009 at 3:37 PM, Martin Roesch <roesch () sourcefire com> wrote:On Tue, Nov 17, 2009 at 3:11 PM, CunningPike <cunningpike () gmail com>wrote:I haven't seen much commentary on this:http://www.breakingpointsystems.com/community/blog/tcp-portals-the-three-way-handshake-is-a-lie .Do any of the snort sigs or preprocessors rely on a SYN/ACK packet forstateand/or flow?Hi there, Stream5 handles the TCP handshaking for the system, I don't think that anything else in the codebase cares about the TWH. I'd have to read the code and maybe turn on the debug statements to understand the fulleffect, Iknow at least some of the state handling handles the SYNs and ACKs separately but there could be issues with things like midstream pickupsandso on. Marty -- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source IDP - http://www.snort.org------------------------------------------------------------------------------Let Crystal Reports handle the reporting - Free Crystal Reports 200830-Daytrial. Simplify your report design, integration and deployment - andfocuson what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- TCP Portals: The Handshake's a Lie! CunningPike (Nov 17)
- Re: TCP Portals: The Handshake's a Lie! Martin Roesch (Nov 17)
- Re: TCP Portals: The Handshake's a Lie! Jason Brvenik (Nov 20)
- Re: TCP Portals: The Handshake's a Lie! CunningPike (Nov 20)
- Re: TCP Portals: The Handshake's a Lie! Jason Brvenik (Nov 20)
- Re: TCP Portals: The Handshake's a Lie! Martin Roesch (Nov 20)
- Re: TCP Portals: The Handshake's a Lie! Jason Brvenik (Nov 20)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Frank Knobbe (Nov 23)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Jason Brvenik (Nov 23)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Frank Knobbe (Nov 24)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Jason Brvenik (Nov 24)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Frank Knobbe (Nov 24)
- Re: TCP Portals: The Handshake's a Lie! Martin Roesch (Nov 17)
- Message not available
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Frank Knobbe (Nov 24)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Matt Olney (Dec 01)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Matt Olney (Dec 01)