Re: did you witness overlapping packets in the wild ?
From: vern@ee.lbl.govDate: 11/30/01
- Previous message: Scott Cothrell: "RE: Cisco "String Signature" oddity..."
- Maybe in reply to: Philippe BISCONDI: "did you witness overlapping packets in the wild ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-Id: <200111300827.fAU8QxI42426@yak.aciri.org> From: vern@ee.lbl.gov To: Philippe BISCONDI <philippe.biscondi@free.fr> Subject: Re: did you witness overlapping packets in the wild ? Date: Fri, 30 Nov 2001 00:26:59 -0800
> Are overlapping packets witnessed in the wild ?
Yes. See section 7.3, "Crud seen on a DMZ", of:
http://www.aciri.org/vern/papers/bro-CN99.html
> Is it quite unusual ?
I'd say on average, at LBL we see a few each day, though that's out of a
large traffic stream.
> Are there somewhat special protocols making use of overlapping
> data at ip or tcp level ?
There shouldn't be any that "make use" of it to try to achieve some effect.
A worry, though, is whether legitimate apps might inadvertantly generate
these, and then you'll terminate their connections unnecessarily. From
my experience, yes, legitimate apps do these sorts of things sometimes,
but they're quite rare.
> <2> mitigate IDS desynchronization and more generally issues with content
> filters
In this context, you might want to check out
http://www.aciri.org/vern/papers/norm-usenix-sec-01-html/index.html
- Vern
- Previous message: Scott Cothrell: "RE: Cisco "String Signature" oddity..."
- Maybe in reply to: Philippe BISCONDI: "did you witness overlapping packets in the wild ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
