Snort mailing list archives
Re: stream5 reassembly and split-tcp handshaking
From: Joel Esler <jesler () sourcefire com>
Date: Wed, 27 Apr 2011 08:39:52 -0400
We wrote about this in December of 2009. http://vrt-blog.snort.org/2009/12/require3whs-and-mystery-of-four-way.html On Mon, Apr 25, 2011 at 1:55 PM, Kungu Panda <kungupanda () gmail com> wrote:
There has been a lot of press recently regarding exploits using tcp split handshaking to evading IDS/IPS solutions: https://www.nsslabs.com/research/network-security/firewall-ngfw/network-firewall-group-test-q2-2011.html http://www.networkworld.com/news/2011/041211-hacker-exploit-firewalls.html http://nmap.org/misc/split-handshake.pdf Questions: (a) How does snort/stream5 handle split-tcp handshakes ? (b) Does snort maintain correct flow directionality when reassembling split-tcp sessions ? (c) Are there signatures to detect attempts to establish split-tcp connections ? Thanks, KPanda ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- stream5 reassembly and split-tcp handshaking Kungu Panda (Apr 25)
- Fwd: stream5 reassembly and split-tcp handshaking Kungu Panda (Apr 27)
- Re: stream5 reassembly and split-tcp handshaking Joel Esler (Apr 27)
- Re: stream5 reassembly and split-tcp handshaking Kungu Panda (Apr 27)