Fwd: stream5 reassembly and split-tcp handshaking

[Kungu Panda <kungupanda () gmail com>]

No responses received : (

Any insights from the community techies and/or the sourcefire guru's  ?



---------- Forwarded message ----------
From: Kungu Panda <kungupanda () gmail com>
Date: Mon, Apr 25, 2011 at 5:55 PM
Subject: stream5 reassembly and split-tcp handshaking
To: snort-users () lists sourceforge net


There has been a lot of press recently regarding exploits using tcp
split handshaking to evading IDS/IPS solutions:
    https://www.nsslabs.com/research/network-security/firewall-ngfw/network-firewall-group-test-q2-2011.html
    http://www.networkworld.com/news/2011/041211-hacker-exploit-firewalls.html
    http://nmap.org/misc/split-handshake.pdf

Questions:
  (a)  How does snort/stream5 handle split-tcp handshakes ?
  (b)  Does snort maintain correct flow directionality when
reassembling split-tcp sessions ?
  (c)  Are there signatures to detect attempts to establish split-tcp
connections ?

Thanks,
KPanda

------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network 
management toolset available today.  Delivers lowest initial 
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users