Snort mailing list archives
Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie!
From: Frank Knobbe <frank () knobbe us>
Date: Tue, 24 Nov 2009 15:49:37 -0600
On Tue, 2009-11-24 at 11:13 -0500, Josh Smith wrote:
I already did some testing with snort, and sent to cunningpike but didn't hit reply to all. Here it is so far: http://malforge.com/node/20 Snort was able to detect the "alternate" handshake if I took out http_method, and put in flow:established,from_server. This was odd, since it should alert on to_server being a GET request.
That should help the Snort crew to narrow things down... unless it's decided that it's not a problem. And I'm glad to hear that flow: works properly. Thanks for testing! -Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: TCP Portals: The Handshake's a Lie!, (continued)
- Re: TCP Portals: The Handshake's a Lie! Martin Roesch (Nov 17)
- Re: TCP Portals: The Handshake's a Lie! Jason Brvenik (Nov 20)
- Re: TCP Portals: The Handshake's a Lie! CunningPike (Nov 20)
- Re: TCP Portals: The Handshake's a Lie! Jason Brvenik (Nov 20)
- Re: TCP Portals: The Handshake's a Lie! Martin Roesch (Nov 20)
- Re: TCP Portals: The Handshake's a Lie! Jason Brvenik (Nov 20)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Frank Knobbe (Nov 23)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Jason Brvenik (Nov 23)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Frank Knobbe (Nov 24)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Jason Brvenik (Nov 24)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Frank Knobbe (Nov 24)
- Re: TCP Portals: The Handshake's a Lie! Martin Roesch (Nov 17)
- Message not available
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Frank Knobbe (Nov 24)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Matt Olney (Dec 01)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! Matt Olney (Dec 01)
- Re: [Emerging-Sigs] TCP Portals: The Handshake's a Lie! CunningPike (Dec 03)