Re: TCP Sack processing
From: Joachim Schipper (j.schipper_at_math.uu.nl)
Date: 08/11/05
- Previous message: Bill Stout: "RE: Looking for HIDS-only products for XP/2000Pro"
- In reply to: snort user: "TCP Sack processing"
- Next in thread: Joel Esler: "Re: TCP Sack processing"
- Reply: Joel Esler: "Re: TCP Sack processing"
- Reply: snort user: "Re: TCP Sack processing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 11 Aug 2005 10:34:43 +0200 To: focus-ids@securityfocus.com
On Tue, Aug 09, 2005 at 04:28:10PM -0400, snort user wrote:
> Greetings.
>
> Does TCP stream reassembly algorithm need TCP SACK processing for completeness ?
> Are there scenarios that an IDS/IPS would miss an attack if it does
> not take the selective acks into consideration.
>
> Any comments/opinions/pointers is appreciated.
>
> Thanks
Well, I am not an expert, but...
Suppose I have an exploit that requires a TCP connection. I open the
connection, send packet #1 and #3, and then sent #2 after #3 has been
SACK'ed. Wouldn't that work, and bypass your IDS, especially if the
exploit is divided over the packets in a smart way?
Joachim
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
- Previous message: Bill Stout: "RE: Looking for HIDS-only products for XP/2000Pro"
- In reply to: snort user: "TCP Sack processing"
- Next in thread: Joel Esler: "Re: TCP Sack processing"
- Reply: Joel Esler: "Re: TCP Sack processing"
- Reply: snort user: "Re: TCP Sack processing"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
