RE: T/TCP resources -- answer for Andy Wood

[MH <procana () insight rr com>]

Hi Andy,

Richard is right on the money with his explanation and references.
There is a difference to what I explained in my post on truncated tcp 
options and T/TCP detected.
To understand T/TCP you must look to the ultimate source (RFCs 1379 and 
1644) :)

Hope this helps,
Mike



At 09:28 PM 5/1/2003 -0400, Andy Wood wrote:
>         You may also reference this msg, sent 4/27/2003 @ 5am, for an
> explanation:
>
> http://sourceforge.net/mailarchive/message.php?msg_id=4437405
>
>
> -----Original Message-----
> From: Richard Bejtlich [mailto:richard_bejtlich () yahoo com]
> Sent: Thursday, May 01, 2003 6:31 PM
> To: snort-users () lists sourceforge net
>
> Hello,
>
> Lots of people have mentioned how to disable T/TCP in Snort, but no one
> mentioned what it is -- so far as my search of the list archives goes.  :)
>
> T/TCP recognizes that many sessions are
> request-response, like HTTP, so T/TCP tries to minimize overhead.  For
> example, the client sends a SYN/request/FIN in one packet.  The server sends
> its SYN/ACK/response/FIN, and the session concludes with the client ACKing
> the server's FIN.
>
> For those who want more than my simplistic rendition of the protocol, see
> RFC 1379 (http://www.faqs.org/rfcs/rfc1379.html).
>
> Other resources include:
>
> T/TCP home page:
>
> http://www.kohala.com/start/ttcp.html
>
> 1998 Phrack Article by Route:
>
> http://www.phrack.com/show.php?p=53&a=6
>
> As for why you're seeing so much traffic which matches Snort's T/TCP
> checking code, I'd have to see some raw captures to analyzing what's
> happening.
>
> Sincerely,
>
> Richard Bejtlich
> richard at taosecurity dot com
> http://taosecurity.com
>
>
> __________________________________
> Do you Yahoo!?
> The New Yahoo! Search - Faster. Easier. Bingo.
> http://search.yahoo.com
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users