Firewall Wizards mailing list archives

Re: TCP segments with overlapping data

From: Ng Pheng Siong <ngps () post1 com>
Date: Thu, 6 Dec 2001 01:02:46 +0800

On Mon, Dec 03, 2001 at 06:37:14PM -0500, miedaner wrote:

My question is what is TCP overlapping data?
What is the vulnerability associated?


As explained by Vern.

Next, you may want to determine if this TCP overlapping traffic you're
seeing is benign or hostile. 

- Tabulate the remote IP addresses sending such traffic. See if you can
  eye-ball any trend or grouping.

- If you spot a trend or a group, put a sniffer to capture more of the
  traffic and study the traffic.

(Is your IDS probe in front or behind your firewall?)

Before you do the above though: Does your security policy or incident
response manual tell you how much to follow up in such situations? 

If not, what is the point of installing the IDS, or, IOW, how do you go
from reading your IDS's output to deciding that you should invoke your
local SIRT?

Cheers.
-- 
Ng Pheng Siong <ngps () post1 com> * http://www.post1.com/home/ngps

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

Current thread:

TCP segments with overlapping data miedaner (Dec 04)
- Re: TCP segments with overlapping data Ng Pheng Siong (Dec 05)
- <Possible follow-ups>
- Re: TCP segments with overlapping data Vern Paxson (Dec 05)