Snort mailing list archives
Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie!
From: Frank Knobbe <frank () knobbe us>
Date: Tue, 24 Nov 2009 15:46:51 -0600
On Tue, 2009-11-24 at 12:54 -0500, Jason Brvenik wrote:
Or systems that run 30 year old TCP stacks :)/me thinks if that were the case they would be having problems today.
/me nods
my though here is not what should be happening but if a poorly designed / implemented system in an effort to accommodate this valid behavior might well let ip:80 -> ip:7627 establish a session much like a poorly implemented system that doesn't recognize SYN/[PSH,URG,ETC...] can establish state with some stacks.
Well, if ipA:80->ipB:7627 is in response to ipB:7627 sending a SYN to ipA:80, then it would be correct. Note that the SYN doesn't establish the sessions. You still require an ACK from both sides.
thanks for the education in flow handling, it was not clear to me :)
Well, I'm glad you learned something ;) I know you know this. It was for the benefit of other readers. I'd like to flesh things out so other can visualize what's happening to remain on "the same page".
And an IPS has an entirely different set of actions it can take. My point here is that if your systems are designed that an attack against the IDS using this method is possible ( knowing all of the other hurdles ) you have bigger problems.
I'm not aware of other problems though. Except running 30 year old stuff? :) Cheers, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- TCP Portals: The Handshake's a Lie! CunningPike (Nov 17)
- Re: TCP Portals: The Handshake's a Lie! Martin Roesch (Nov 17)
- Re: TCP Portals: The Handshake's a Lie! Jason Brvenik (Nov 20)
- Re: TCP Portals: The Handshake's a Lie! CunningPike (Nov 20)
- Re: TCP Portals: The Handshake's a Lie! Jason Brvenik (Nov 20)
- Re: TCP Portals: The Handshake's a Lie! Martin Roesch (Nov 20)
- Re: TCP Portals: The Handshake's a Lie! Jason Brvenik (Nov 20)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Frank Knobbe (Nov 23)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Jason Brvenik (Nov 23)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Frank Knobbe (Nov 24)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Jason Brvenik (Nov 24)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Frank Knobbe (Nov 24)
- Re: TCP Portals: The Handshake's a Lie! Martin Roesch (Nov 17)
- Message not available
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Frank Knobbe (Nov 24)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Matt Olney (Dec 01)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Matt Olney (Dec 01)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! CunningPike (Dec 03)