Re: TCP Sack processing

[Joel Esler <eslerj () gmail com>]

IIRC, Snort's preprocs do a very good job of keeping that state stuff
in combination between Stream4 and the new frag3.  Basically this is
my opinion, and I need someone from SF to back me up.

J

On 8/11/05, Joachim Schipper <j.schipper () math uu nl> wrote:
> On Tue, Aug 09, 2005 at 04:28:10PM -0400, snort user wrote:
> > Greetings.
> >
> > Does TCP stream reassembly algorithm need TCP SACK processing for completeness ?
> > Are there scenarios that an IDS/IPS would miss an attack if it does
> > not take the selective acks into consideration.
> >
> > Any comments/opinions/pointers is appreciated.
> >
> > Thanks
>
> Well, I am not an expert, but...
>
> Suppose I have an exploit that requires a TCP connection. I open the
> connection, send packet #1 and #3, and then sent #2 after #3 has been
> SACK'ed. Wouldn't that work, and bypass your IDS, especially if the
> exploit is divided over the packets in a smart way?
>
>                 Joachim
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ------------------------------------------------------------------------

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------