Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Re: TCP segments with overlapping data

From: "Kowsik Guruswamy" <kowsik () doublek net>
Date: Mon, 29 Apr 2002 08:24:29 -0700
Depends. Just because you get overlapping TCP segments isn't a problem and
you shouldn't be alerted on it.

OTOH, overlapping TCP segments with different data in the overlapping part
is definitely an issue. Different stacks interpret this in different ways
(first arrived segment, the last arrived segment, the one with the right
timestamp - PAWS, etc...).

A sniffer based IDS cannot in general determine what the target OS will do
with the packet. Someone could easily evade your IDS using this mechanism.

K.

-----Original Message-----
From: firewall-wizards-admin () nfr com
[mailto:firewall-wizards-admin () nfr com]On Behalf Of Michael Szie Wee
Kwang
Sent: Thursday, April 25, 2002 9:25 PM
To: firewall-wizards () nfr com
Subject: [fw-wiz] Re: TCP segments with overlapping data


Hi,

Tcp overlapping reported by IDS is not any issue at all , am I right ?

Regards
Michael
michaelszie () jos com sg
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: