A Suggestion for an explicit SYN/ACK Indicator in Argus
David Edelman
dedelman at iname.com
Fri Aug 16 20:07:21 EDT 2013
Regardless of what innumerable CISSPs have been led to believe, the response
to a TCP packet with the SYN flag set is a TCP packet with the ACK flag set.
It is permissible and almost always the case to also set the SYN flag and
the appropriate option and sequence number bits and pieces but it is not a
requirement to do so. It perfectly permissible for the server to send an
ACK packet followed by a second packet with the SYN flag set and its part of
the session initiation parameters in order to complete the three-way
handshake. On the other hand, almost all instances of this 3.1 way handshake
are malicious.
For that reason, and to make is much easier to clearly differentiate between
the client and the server where the necessary information is available, is
it possible to create an indicator saying that a single packet was seen that
had both the SYN and the ACK flags set?
I'd love to see something like FSPA_XFSPA (I always use -Zb) as compared to
the current FSPA_FSPA. In fact with the SYN/ACK indicator available, I would
know that FSPA_FSPA indicates a flow worthy of extra scrutiny since I see
both SYN's but I have no indication that there was a single packet with both
SYN and ACK set.
If this already exists but is obscured by -Zb, would it be possible to
augment the output of State field to include an additional indicator for
SYN/ACK or to add a new field (possibly called Role) to expose the
information?
--Dave
More information about the argus
mailing list