IDS mailing list archives
Re: TCP Sack processing
From: Krzysztof Cabaj <kcabaj () gmail com>
Date: Wed, 10 Aug 2005 00:23:15 +0200
Hi,
Does TCP stream reassembly algorithm need TCP SACK processing for completeness ? Are there scenarios that an IDS/IPS would miss an attack if it does not take the selective acks into consideration. Any comments/opinions/pointers is appreciated.
Theoretically even small differences in IDS/IPS reassembly routine and destination, attacked machine network stack could avoid detection. To be 100% sure this routine and protected machine stack should be identic. Best regards, Krzysztof (Christopher) Cabaj ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- TCP Sack processing snort user (Aug 09)
- Re: TCP Sack processing Krzysztof Cabaj (Aug 10)
- Re: TCP Sack processing Joachim Schipper (Aug 12)
- Re: TCP Sack processing Joel Esler (Aug 13)
- Re: TCP Sack processing Martin Roesch (Aug 14)
- Re: TCP Sack processing snort user (Aug 13)
- Re: TCP Sack processing Joel Esler (Aug 13)