T/TCP resources -- answer for Andy Wood

[Richard Bejtlich <richard_bejtlich () yahoo com>]

Hello,

Lots of people have mentioned how to disable T/TCP in
Snort, but no one mentioned what it is -- so far as my
search of the list archives goes.  :)

T/TCP recognizes that many sessions are
request-response, like HTTP, so T/TCP tries to
minimize overhead.  For example, the client sends a
SYN/request/FIN in one packet.  The server sends its
SYN/ACK/response/FIN, and the session concludes with
the client ACKing the server's FIN.  

For those who want more than my simplistic rendition
of the protocol, see RFC 1379
(http://www.faqs.org/rfcs/rfc1379.html).

Other resources include:

T/TCP home page:

http://www.kohala.com/start/ttcp.html

1998 Phrack Article by Route:

http://www.phrack.com/show.php?p=53&a=6

As for why you're seeing so much traffic which matches
Snort's T/TCP checking code, I'd have to see some raw
captures to analyzing what's happening.

Sincerely,

Richard Bejtlich
richard at taosecurity dot com
http://taosecurity.com


__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users