[Bro-Dev] [JIRA] (BIT-1314) Detect "quantum insert" type of attacks
Jon Siwek (JIRA)
jira at bro-tracker.atlassian.net
Mon Feb 9 07:30:00 PST 2015
[ https://bro-tracker.atlassian.net/browse/BIT-1314?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=19600#comment-19600 ]
Jon Siwek commented on BIT-1314:
--------------------------------
Handling the "rexmit_inconsistency" event and comparing the mismatched content might be a way to do what you want.
https://www.bro.org/sphinx/scripts/base/bif/event.bif.bro.html?highlight=rexmit_inconsistency#id-rexmit_inconsistency
> Detect "quantum insert" type of attacks
> ---------------------------------------
>
> Key: BIT-1314
> URL: https://bro-tracker.atlassian.net/browse/BIT-1314
> Project: Bro Issue Tracker
> Issue Type: New Feature
> Components: Bro
> Reporter: David André
>
> Add detection for "quantum insert" type of attacks. Since the leaked information is classified, I will try to explain in unclassified form what it is about.
> The idea is that you have a passive adversary that sniff your TCP sequence numbers and inject its malicious payload faster than the real server.
> One of the leaked documents mentions as an alerting mechanism to detect duplicate TCP sequence numbers from same source, where at least 10% of the beginning of the content of the two packets differs.
--
This message was sent by Atlassian JIRA
(v6.4-OD-14-082#64012)
More information about the bro-dev
mailing list