Snort mailing list archives
T/TCP resources -- answer for Andy Wood
From: Richard Bejtlich <richard_bejtlich () yahoo com>
Date: Thu, 1 May 2003 15:31:04 -0700 (PDT)
Hello, Lots of people have mentioned how to disable T/TCP in Snort, but no one mentioned what it is -- so far as my search of the list archives goes. :) T/TCP recognizes that many sessions are request-response, like HTTP, so T/TCP tries to minimize overhead. For example, the client sends a SYN/request/FIN in one packet. The server sends its SYN/ACK/response/FIN, and the session concludes with the client ACKing the server's FIN. For those who want more than my simplistic rendition of the protocol, see RFC 1379 (http://www.faqs.org/rfcs/rfc1379.html). Other resources include: T/TCP home page: http://www.kohala.com/start/ttcp.html 1998 Phrack Article by Route: http://www.phrack.com/show.php?p=53&a=6 As for why you're seeing so much traffic which matches Snort's T/TCP checking code, I'd have to see some raw captures to analyzing what's happening. Sincerely, Richard Bejtlich richard at taosecurity dot com http://taosecurity.com __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- T/TCP resources -- answer for Andy Wood Richard Bejtlich (May 01)
- <Possible follow-ups>
- RE: T/TCP resources -- answer for Andy Wood Andy Wood (May 01)
- RE: T/TCP resources -- answer for Andy Wood MH (May 02)