Snort mailing list archives

Re: Tcp session hijacking

From: Meysam Farazmand <farazmand.meisam () gmail com>
Date: Tue, 19 Aug 2014 12:46:23 +0430

Hi Waldo,

Thank you for reply.yes you're right. I am doing a project with snort and
my project manager wants me to test snort session hijacking detection
capability. If we assume that attacker does not use spoofed MAC address,
similarity between session hijacking and mitm is that in both, MAC address
of on side changes. So snort should detect this MAC address changing with
stream5. Is it correct?
On Aug 17, 2014 9:27 PM, "waldo kitty" <wkitty42 () windstream net> wrote:

On 8/17/2014 5:37 AM, Meysam Farazmand wrote:

Hi all,

I used "check_session_hijacking" in stream5 preprocessor for session

hijacking

attacks detection and launched a mitm attack. But snort did not detect

it.

session hijacking and mitm are not the same...

session hijacking is where you take over or continue with someone's
existing or
previous session...

mitm is where you are in the middle and have valid sessions with both
parties
and pass their traffic across while doing what you want with it in the
middle...


--
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.


------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Tcp session hijacking Meysam Farazmand (Aug 17)
- Re: Tcp session hijacking waldo kitty (Aug 17)
  - Re: Tcp session hijacking Meysam Farazmand (Aug 19)
    - Re: Tcp session hijacking Joel Esler (jesler) (Aug 19)
    - Re: Tcp session hijacking Meysam Farazmand (Aug 19)
    - Re: Tcp session hijacking Joel Esler (jesler) (Aug 19)
    - Re: Tcp session hijacking Meysam Farazmand (Aug 19)
    - Re: Tcp session hijacking Russ Combs (rucombs) (Aug 19)
    - Re: Tcp session hijacking Meysam Farazmand (Aug 19)
    - Re: Tcp session hijacking Russ Combs (rucombs) (Aug 19)
    - Re: Tcp session hijacking Jefferson, Shawn (Aug 19)
    - Re: Tcp session hijacking Meysam Farazmand (Aug 19)
    - Re: Tcp session hijacking waldo kitty (Aug 19)

(Thread continues...)