IIRC, Snort's preprocs do a very good job of keeping that state stuff in combination between Stream4 and the new frag3. Basically this is my opinion, and I need someone from SF to back me up.
J On 8/11/05, Joachim Schipper <[EMAIL PROTECTED]> wrote: > On Tue, Aug 09, 2005 at 04:28:10PM -0400, snort user wrote: > > Greetings. > > > > Does TCP stream reassembly algorithm need TCP SACK processing for > > completeness ? > > Are there scenarios that an IDS/IPS would miss an attack if it does > > not take the selective acks into consideration. > > > > Any comments/opinions/pointers is appreciated. > > > > Thanks > > Well, I am not an expert, but... > > Suppose I have an exploit that requires a TCP connection. I open the > connection, send packet #1 and #3, and then sent #2 after #3 has been > SACK'ed. Wouldn't that work, and bypass your IDS, especially if the > exploit is divided over the packets in a smart way? > > Joachim > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 > to learn more. > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
