Snort mailing list archives
Re: TCP Portals: The Handshake's a Lie!
From: Martin Roesch <roesch () sourcefire com>
Date: Fri, 20 Nov 2009 13:44:27 -0500
You'd probably want to try to modify something like fragroute... On Fri, Nov 20, 2009 at 1:19 PM, Jason Brvenik <jasonb () sourcefire com>wrote:
I don't think netcat will do it. There needs to be a stack modification to do the handshake in this manner or an app that will do it while suppressing the existing stack. I can think of a quick and dirty iptables / libdnet app but don't have the time to implement at the moment. Someone could probably do it quickly with iptables and scapy too. On Fri, Nov 20, 2009 at 12:25 PM, CunningPike <cunningpike () gmail com> wrote:I can provide the server - but would need a little hand-holding to makesureit was replicating this behavior properly. Perhaps a netcat listener ofsomekind? CP On Fri, Nov 20, 2009 at 8:12 AM, Jason Brvenik <jasonb () sourcefire com> wrote:My casual read on it was that you would have to be dealing with a malicious server which deliberately responds to a syn with a syn and that the likelihood of that is not the greatest. If it does happen the server is going to be doing a lot of other more malicious things. My presumptions are: - An inbound SYN that is not acknowledging a syn at the same time is going to be blocked by firewalls if properly configured. - Even a properly configured border router will be blocking inbound syn only for non-services ports. - Any attack relying on local segment access that is a concern means that you have already failed. Who would like to provide a server on the net so that people can test their devices in a full life cycle test? Simple web page returned that says "It Worked!" would suffice. On Tue, Nov 17, 2009 at 3:37 PM, Martin Roesch <roesch () sourcefire com> wrote:On Tue, Nov 17, 2009 at 3:11 PM, CunningPike <cunningpike () gmail com> wrote:I haven't seen much commentary on this:http://www.breakingpointsystems.com/community/blog/tcp-portals-the-three-way-handshake-is-a-lie .Do any of the snort sigs or preprocessors rely on a SYN/ACK packetforstate and/or flow?Hi there, Stream5 handles the TCP handshaking for the system, I don't think that anything else in the codebase cares about the TWH. I'd have to readthecode and maybe turn on the debug statements to understand the full effect, I know at least some of the state handling handles the SYNs and ACKs separately but there could be issues with things like midstreampickupsand so on. Marty -- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source IDP - http://www.snort.org------------------------------------------------------------------------------Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616 Sourcefire - Security for the Real World - http://www.sourcefire.com Snort: Open Source IDP - http://www.snort.org
------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- TCP Portals: The Handshake's a Lie! CunningPike (Nov 17)
- Re: TCP Portals: The Handshake's a Lie! Martin Roesch (Nov 17)
- Re: TCP Portals: The Handshake's a Lie! Jason Brvenik (Nov 20)
- Re: TCP Portals: The Handshake's a Lie! CunningPike (Nov 20)
- Re: TCP Portals: The Handshake's a Lie! Jason Brvenik (Nov 20)
- Re: TCP Portals: The Handshake's a Lie! Martin Roesch (Nov 20)
- Re: TCP Portals: The Handshake's a Lie! Jason Brvenik (Nov 20)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Frank Knobbe (Nov 23)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Jason Brvenik (Nov 23)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Frank Knobbe (Nov 24)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Jason Brvenik (Nov 24)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Frank Knobbe (Nov 24)
- Re: TCP Portals: The Handshake's a Lie! Martin Roesch (Nov 17)
- Message not available
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Frank Knobbe (Nov 24)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Matt Olney (Dec 01)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Matt Olney (Dec 01)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! CunningPike (Dec 03)