Hi, > Does TCP stream reassembly algorithm need TCP SACK processing for > completeness ? > Are there scenarios that an IDS/IPS would miss an attack if it does > not take the selective acks into consideration. > > Any comments/opinions/pointers is appreciated. Theoretically even small differences in IDS/IPS reassembly routine and destination, attacked machine network stack could avoid detection. To be 100% sure this routine and protected machine stack should be identic.
Best regards, Krzysztof (Christopher) Cabaj ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
