IIRC, Snort's preprocs do a very good job of keeping that state stuff
in combination between Stream4 and the new frag3. Basically this is
my opinion, and I need someone from SF to back me up.
J
On 8/11/05, Joachim Schipper <j.schipper@math.uu.nl> wrote:
On Tue, Aug 09, 2005 at 04:28:10PM -0400, snort user wrote:
Greetings.
Does TCP stream reassembly algorithm need TCP SACK processing for
completeness ?
Are there scenarios that an IDS/IPS would miss an attack if it does
not take the selective acks into consideration.
Any comments/opinions/pointers is appreciated.
Thanks
Well, I am not an expert, but...
Suppose I have an exploit that requires a TCP connection. I open the
connection, send packet #1 and #3, and then sent #2 after #3 has been
SACK'ed. Wouldn't that work, and bypass your IDS, especially if the
exploit is divided over the packets in a smart way?
Joachim
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
