snort-users November 2009 archive
Main Archive Page > Month Archives  > snort-users archives
snort-users: Re: [Snort-users] [Emerging-Sigs] TCP Portals: The

Re: [Snort-users] [Emerging-Sigs] TCP Portals: The Handshake's a Lie!

From: Frank Knobbe <frank_at_nospam>
Date: Tue Nov 24 2009 - 21:49:37 GMT
To: Josh Smith <>

On Tue, 2009-11-24 at 11:13 -0500, Josh Smith wrote:
> I already did some testing with snort, and sent to cunningpike but
> didn't hit reply to all. Here it is so far:
> Snort was able to detect the "alternate" handshake if I took out
> http_method, and put in flow:established,from_server. This was odd,
> since it should alert on to_server being a GET request.

That should help the Snort crew to narrow things down... unless it's decided that it's not a problem. And I'm glad to hear that flow: works properly. Thanks for testing!


Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now.

Snort-users mailing list
Go to this URL to change user options or unsubscribe: Snort-users list archive: