Snort mailing list archives
Re: Detecting TCP session without data after three-way handshake
From: Edward Fjellskål <edwardfjellskaal () gmail com>
Date: Thu, 03 Nov 2011 11:56:13 +0100
On 11/03/2011 12:38 AM, Willst Mail wrote:
Hello, Here's a theoretical question for you. I'm wondering if Snort can realistically identify sessions in which a three-way TCP handshake is established but then no data is requested by the client or sent by the server. In other words, two endpoints do their SYN, SYN/ACK, ACK exchange, then the connection is terminated, gracefully or otherwise, either immediately or after a period of time, and with no other communication between the endpoints during that session. I can review firewall logs to find sessions with very little data transferred, which could help, but I was wondering if anyone has ideas about how to identify these types of sessions with Snort. I'm going to cross-post this between the Google group and SourceForge mailing list to see if any smart people want to chime in. Thanks! -w
Hi, I have been doing similar test for a while with snort and suricata. Which lead me to a feature request for suricata. I took the liberty to update the feature request today (on the thoughts that you have, that was my initially reason to make a feature request), and may snort-devel also consider it as a feature request to snort :) https://redmine.openinfosecfoundation.org/issues/294 Today, I have been somewhat successful using (many) flowbits, but writing such rules (the way I do) sucks the juice out of snort. The suricata and its flowint ( https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Flowint ) has helped, as I can write the same rule, without the bad performance impact of these crazy rules of mine :) You might be able to do what you want writing a preprocessor :) but that might be a bit harder than writing a rule. Any feedback on my feature request would be awesome :P E ------------------------------------------------------------------------------ RSA(R) Conference 2012 Save $700 by Nov 18 Register now http://p.sf.net/sfu/rsa-sfdev2dev1 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Detecting TCP session without data after three-way handshake Willst Mail (Nov 02)
- Re: Detecting TCP session without data after three-way handshake Edward Fjellskål (Nov 03)
- Re: Detecting TCP session without data after three-wayhandshake Jason Haar (Nov 03)
- Re: Detecting TCP session without data after three-wayhandshake Giles Coochey (Nov 04)
- Re: Detecting TCP session without data after three-wayhandshake Martin Holste (Nov 04)
- Re: Detecting TCP session without data after three-wayhandshake Seth Hall (Nov 04)