Snort mailing list archives

Re: Detecting TCP session without data after three-way handshake

From: Edward Fjellskål <edwardfjellskaal () gmail com>
Date: Thu, 03 Nov 2011 11:56:13 +0100

On 11/03/2011 12:38 AM, Willst Mail wrote:

Hello,
Here's a theoretical question for you.  I'm wondering if Snort can
realistically identify sessions in which a three-way TCP handshake is
established but then no data is requested by the client or sent by the
server.  In other words, two endpoints do their SYN, SYN/ACK, ACK
exchange, then the connection is terminated, gracefully or otherwise,
either immediately or after a period of time, and with no other
communication between the endpoints during that session.  I can review
firewall logs to find sessions with very little data transferred,
which could help, but I was wondering if anyone has ideas about how to
identify these types of sessions with Snort.

I'm going to cross-post this between the Google group and SourceForge
mailing list to see if any smart people want to chime in.

Thanks!

-w


Hi,

I have been doing similar test for a while with snort and suricata.
Which lead me to a feature request for suricata.

I took the liberty to update the feature request today (on the thoughts 
that you have, that was my initially reason to make a feature request),
and may snort-devel also consider it as a feature request to snort :)

https://redmine.openinfosecfoundation.org/issues/294

Today, I have been somewhat successful using (many) flowbits, but 
writing such rules (the way I do) sucks the juice out of snort.
The suricata and its flowint ( 
https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Flowint )
has helped, as I can write the same rule, without the bad performance 
impact of these crazy rules of mine :)

You might be able to do what you want writing a preprocessor :) but that 
might be a bit harder than writing a rule.

Any feedback on my feature request would be awesome :P

E

------------------------------------------------------------------------------
RSA(R) Conference 2012
Save $700 by Nov 18
Register now
http://p.sf.net/sfu/rsa-sfdev2dev1
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Detecting TCP session without data after three-way handshake Willst Mail (Nov 02)
- Re: Detecting TCP session without data after three-way handshake Edward Fjellskål (Nov 03)
- Re: Detecting TCP session without data after three-wayhandshake Jason Haar (Nov 03)
  - Re: Detecting TCP session without data after three-wayhandshake Giles Coochey (Nov 04)
  - Re: Detecting TCP session without data after three-wayhandshake Martin Holste (Nov 04)
  - Re: Detecting TCP session without data after three-wayhandshake Seth Hall (Nov 04)