snort-users November 2009 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] TCP Portals: The Handshake's a Li

Re: [Snort-users] TCP Portals: The Handshake's a Lie!

From: Jason Brvenik <jasonb_at_nospam>
Date: Fri Nov 20 2009 - 16:12:12 GMT
To: Martin Roesch <roesch@sourcefire.com>, CunningPike <cunningpike@gmail.com>, Emerging-sigs@emergingthreats.net, Snort-users@lists.sourceforge.net


My casual read on it was that you would have to be dealing with a malicious server which deliberately responds to a syn with a syn and that the likelihood of that is not the greatest. If it does happen the server is going to be doing a lot of other more malicious things. My presumptions are:

  • An inbound SYN that is not acknowledging a syn at the same time is going to be blocked by firewalls if properly configured.
  • Even a properly configured border router will be blocking inbound syn only for non-services ports.
  • Any attack relying on local segment access that is a concern means that you have already failed.

Who would like to provide a server on the net so that people can test their devices in a full life cycle test? Simple web page returned that says "It Worked!" would suffice.

On Tue, Nov 17, 2009 at 3:37 PM, Martin Roesch <roesch@sourcefire.com> wrote:
> On Tue, Nov 17, 2009 at 3:11 PM, CunningPike <cunningpike@gmail.com> wrote:
>>
>> I haven't seen much commentary on this:
>> http://www.breakingpointsystems.com/community/blog/tcp-portals-the-three-way-handshake-is-a-lie.
>> Do any of the snort sigs or preprocessors rely on a SYN/ACK packet for state
>> and/or flow?
>>
>
> Hi there,
>
> Stream5 handles the TCP handshaking for the system, I don't think that
> anything else in the codebase cares about the TWH. I'd have to read the
> code and maybe turn on the debug statements to understand the full effect, I
> know at least some of the state handling handles the SYNs and ACKs
> separately but there could be issues with things like midstream pickups and
> so on.
>
> Marty
>
> --
> Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
> Sourcefire - Security for the Real World - http://www.sourcefire.com
> Snort: Open Source IDP - http://www.snort.org
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Snort-users mailing list
> Snort-users@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july

Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users