Re: TCP Sack processing

From: Joel Esler (eslerj_at_gmail.com)
Date: 08/13/05

Next message: snort user: "Re: TCP Sack processing"

Previous message: Sanjay Rawat: "Re: Looking for HIDS-only products for XP/2000Pro"
In reply to: Joachim Schipper: "Re: TCP Sack processing"
Next in thread: Martin Roesch: "Re: TCP Sack processing"
Reply: Martin Roesch: "Re: TCP Sack processing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 13 Aug 2005 08:10:22 -0400
To: focus-ids@securityfocus.com

IIRC, Snort's preprocs do a very good job of keeping that state stuff
in combination between Stream4 and the new frag3. Basically this is
my opinion, and I need someone from SF to back me up.

On 8/11/05, Joachim Schipper <j.schipper@math.uu.nl> wrote:
> On Tue, Aug 09, 2005 at 04:28:10PM -0400, snort user wrote:
> > Greetings.
> >
> > Does TCP stream reassembly algorithm need TCP SACK processing for completeness ?
> > Are there scenarios that an IDS/IPS would miss an attack if it does
> > not take the selective acks into consideration.
> >
> > Any comments/opinions/pointers is appreciated.
> >
> > Thanks
>
> Well, I am not an expert, but...
>
> Suppose I have an exploit that requires a TCP connection. I open the
> connection, send packet #1 and #3, and then sent #2 after #3 has been
> SACK'ed. Wouldn't that work, and bypass your IDS, especially if the
> exploit is divided over the packets in a smart way?
>
> Joachim
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
> ------------------------------------------------------------------------
>
>

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

Next message: snort user: "Re: TCP Sack processing"

Previous message: Sanjay Rawat: "Re: Looking for HIDS-only products for XP/2000Pro"
In reply to: Joachim Schipper: "Re: TCP Sack processing"
Next in thread: Martin Roesch: "Re: TCP Sack processing"
Reply: Martin Roesch: "Re: TCP Sack processing"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Tracking back internal incidents to users, not IPs
... Note that I am assuming that the source is a DHCP system here (otherwise ... Note that I would take an open source or a commercial product as a ... with real-world attacks from CORE IMPACT. ...
(Focus-IDS)
Re: Tracking back internal incidents to users, not IPs
... Note that I am assuming that the source is a DHCP system here (otherwise ... it is much easier problem). ... with real-world attacks from CORE IMPACT. ...
(Focus-IDS)
Re: What type of IDS should I use?
... communication is strictly prohibited. ... with real-world attacks from CORE IMPACT. ... Do You Yahoo!? ...
(Focus-IDS)
SV: Bittorrent - utorrent
... As I am a contractor on the job – I could not controle their policies to whats legal and whats not – so that issue was out of the question. ... If it's not based on protocol interpretation and file type look up, ... Find out quickly and easily by testing it with real-world attacks from ... with real-world attacks from CORE IMPACT. ...
(Focus-IDS)
Re: Snort signature packet generator: Thanks
... Nmap is a bit too specialized. ... I've been trying to download Shmoo Group's Capture the ... >Find out quickly and easily by testing it with real-world attacks from ... >CORE IMPACT. ...
(Focus-IDS)