Re: TCP Sack processing
From: Krzysztof Cabaj (kcabaj_at_gmail.com)
Date: 08/10/05
- Previous message: Martin Roesch: "Re: Cisco IOS Shellcode - McAfee IPS Protection"
- In reply to: snort user: "TCP Sack processing"
- Next in thread: Joachim Schipper: "Re: TCP Sack processing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 10 Aug 2005 00:23:15 +0200 To: snort user <snort.user@gmail.com>
Hi,
> Does TCP stream reassembly algorithm need TCP SACK processing for completeness ?
> Are there scenarios that an IDS/IPS would miss an attack if it does
> not take the selective acks into consideration.
>
> Any comments/opinions/pointers is appreciated.
Theoretically even small differences in IDS/IPS reassembly routine and
destination, attacked machine network stack could avoid detection. To
be 100% sure this routine and protected machine stack should be
identic.
Best regards,
Krzysztof (Christopher) Cabaj
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
- Previous message: Martin Roesch: "Re: Cisco IOS Shellcode - McAfee IPS Protection"
- In reply to: snort user: "TCP Sack processing"
- Next in thread: Joachim Schipper: "Re: TCP Sack processing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
