IDS mailing list archives

Re: TCP Sack processing

From: Krzysztof Cabaj <kcabaj () gmail com>
Date: Wed, 10 Aug 2005 00:23:15 +0200

Hi,

Does TCP stream reassembly algorithm need TCP SACK processing for completeness ?
Are there scenarios that an IDS/IPS would miss an attack if it does
not take the selective acks into consideration.

Any comments/opinions/pointers is appreciated.

Theoretically even small differences in IDS/IPS reassembly routine and
destination, attacked machine network stack could avoid detection. To
be 100% sure this routine and protected machine stack should be
identic.

Best regards,
Krzysztof (Christopher) Cabaj

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

Current thread:

TCP Sack processing snort user (Aug 09)
- Re: TCP Sack processing Krzysztof Cabaj (Aug 10)
- Re: TCP Sack processing Joachim Schipper (Aug 12)
  - Re: TCP Sack processing Joel Esler (Aug 13)
    - Re: TCP Sack processing Martin Roesch (Aug 14)
  - Re: TCP Sack processing snort user (Aug 13)