[Emerging-Sigs] seeing large numbers of alerts for CVE-2015-1427 Elastic Search Sandbox Escape Remote Code Execution Attempt - 2020648

wkitty42 at windstream.net wkitty42 at windstream.net
Mon Jan 13 05:58:40 HST 2020


On 1/12/20 7:52 PM, Russell Fulton wrote:
> My question is should suricata be setting the established flag when there had
> *not* been a SYN+ACK from the destination?    If it did insist on a SYN+ACK
> then all of these alerts would vanish.

this seems to be a suricata related support question and should probably be 
brought up on one of their lists...


however, if your question is really about snort, i might point you to

   preprocessor stream5_tcp

and its require_3whs option...

README.stream5 should contain more information...

sadly, for some reason, uncle google doesn't turn up anything about this option 
on snort.org or any of its related sites...

do note, though, that this option may break the so-called 4way handshake that 
some systems use these days... this talos blog post from 2009 talks a little 
about that but i feel that more clarification is needed...

https://blog.talosintelligence.com/2009/12/require3whs-and-mystery-of-four-way.html




-- 
  NOTE: No off-list assistance is given without prior approval.
        *Please keep mailing list traffic on the list where it belongs!*


More information about the Emerging-sigs mailing list