snort-users November 2009 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] [Emerging-Sigs] TCP Portals: The

Re: [Snort-users] [Emerging-Sigs] TCP Portals: The Handshake's a Lie!

From: Frank Knobbe <frank_at_nospam>
Date: Tue Nov 24 2009 - 21:49:37 GMT
To: Josh Smith <famousjs@gmail.com>


On Tue, 2009-11-24 at 11:13 -0500, Josh Smith wrote:
>
> I already did some testing with snort, and sent to cunningpike but
> didn't hit reply to all. Here it is so far:
>
> http://malforge.com/node/20
>
> Snort was able to detect the "alternate" handshake if I took out
> http_method, and put in flow:established,from_server. This was odd,
> since it should alert on to_server being a GET request.

That should help the Snort crew to narrow things down... unless it's decided that it's not a problem. And I'm glad to hear that flow: works properly. Thanks for testing!

-Frank



Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july



Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users