Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie!

From: CunningPike <cunningpike () gmail com>
Date: Thu, 3 Dec 2009 12:44:54 -0800
On Tue, Dec 1, 2009 at 12:53 PM, Matt Olney <molney () sourcefire com> wrote:

I'd like to close the loop a little on the "4-way handshake" problem.
We did some preliminary investigation into this and found that it was
possible to bypass rules using this.  The VRT did the initial testing
and the case was then passed to the Snort team.  Their testing
revealed a config change that would ensure that the snort rules would
alert properly in the face of a malicious server implementing a 4-way
capable stack.

The modification is to add the following value to your "preprocessor
stream5_tcp:" line:

require_3whs



Terrific work by you and your team, Matt - top marks!

CP

------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: