IDS mailing list archives
Re: TCP Sack processing
From: Joel Esler <eslerj () gmail com>
Date: Sat, 13 Aug 2005 08:10:22 -0400
IIRC, Snort's preprocs do a very good job of keeping that state stuff in combination between Stream4 and the new frag3. Basically this is my opinion, and I need someone from SF to back me up. J On 8/11/05, Joachim Schipper <j.schipper () math uu nl> wrote:
On Tue, Aug 09, 2005 at 04:28:10PM -0400, snort user wrote:Greetings. Does TCP stream reassembly algorithm need TCP SACK processing for completeness ? Are there scenarios that an IDS/IPS would miss an attack if it does not take the selective acks into consideration. Any comments/opinions/pointers is appreciated. ThanksWell, I am not an expert, but... Suppose I have an exploit that requires a TCP connection. I open the connection, send packet #1 and #3, and then sent #2 after #3 has been SACK'ed. Wouldn't that work, and bypass your IDS, especially if the exploit is divided over the packets in a smart way? Joachim ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- TCP Sack processing snort user (Aug 09)
- Re: TCP Sack processing Krzysztof Cabaj (Aug 10)
- Re: TCP Sack processing Joachim Schipper (Aug 12)
- Re: TCP Sack processing Joel Esler (Aug 13)
- Re: TCP Sack processing Martin Roesch (Aug 14)
- Re: TCP Sack processing snort user (Aug 13)
- Re: TCP Sack processing Joel Esler (Aug 13)