On Tue, Aug 09, 2005 at 04:28:10PM -0400, snort user wrote:
> Greetings.
>
> Does TCP stream reassembly algorithm need TCP SACK processing for
> completeness ?
> Are there scenarios that an IDS/IPS would miss an attack if it does
> not take the selective acks into consideration.
>
> Any comments/opinions/pointers is appreciated.
>
> Thanks
Well, I am not an expert, but...
Suppose I have an exploit that requires a TCP connection. I open the
connection, send packet #1 and #3, and then sent #2 after #3 has been
SACK'ed. Wouldn't that work, and bypass your IDS, especially if the
exploit is divided over the packets in a smart way?
Joachim
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------
