Snort mailing list archives

Re: help - React keyword use to display message on web browser

From: wkitty42 () windstream net
Date: Thu, 31 Mar 2016 10:01:25 -0400

On 03/31/2016 09:11 AM, Amul Patel wrote:

Does any one know how snort know that connection is established ?


a connection is seen as established when the three-way handshake has been 
completed... of course that only works for TCP connections as UDP doesn't 
handshake like that...

an established connection is no longer established when one side or the other 
sends the initial FIN teardown request... this is a four-way pattern of FIN, 
ACK, FIN, ACK where the first FIN and last ACK are sent by one end of the 
connection and the two middle ones are sent by the other end...

in many many cases, networks stacks drop the connection as soon as they send 
their FIN and they don't wait for the ACK to arrive... that can cause what is 
known as spurious firewall hits because the ACK is not associated with an 
established connection and gets logged and dropped since it has no where to be 
sent because the receiver has already shut down the connection and it not 
listening any longer...

in other cases, one might send a RST to close the connection abruptly...

so, two ways to teardown a TCP connection... FIN(,ACK,FIN,ACK) and RST...

-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

Re: help - React keyword use to display message on web browser, (continued)
- Re: help - React keyword use to display message on web browser Al Lewis (allewi) (Mar 25)
  - Re: help - React keyword use to display message on web browser Amul Patel (Mar 28)
    - Re: help - React keyword use to display message on web browser Al Lewis (allewi) (Mar 28)
    - Re: help - React keyword use to display message on web browser Amul Patel (Mar 28)
    - Re: help - React keyword use to display message on web browser Amul Patel (Mar 28)
    - Re: help - React keyword use to display message on web browser Al Lewis (allewi) (Mar 29)
    - Re: help - React keyword use to display message on web browser Amul Patel (Mar 30)
    - Re: help - React keyword use to display message on web browser Amul Patel (Mar 29)
    - Re: help - React keyword use to display message on web browser Amul Patel (Mar 31)
    - Re: help - React keyword use to display message on web browser Amul Patel (Mar 31)
    - Re: help - React keyword use to display message on web browser wkitty42 (Mar 31)
    - Re: help - React keyword use to display message on web browser Al Lewis (allewi) (Mar 28)