[Bro] Check tcp sequence number ?
rmkml
rmkml at wanadoo.fr
Wed Dec 1 08:19:01 PST 2004
Hi,
Thx for reply Christian,
First test with www.bro-ids.org : (join pcap1 file)
Injection packet is n° 4.
Bro09a7 not event ...
another test on www.snort.org (this web not ack, pcap2 file)
Injection packet is n° 4.
Bro09a7 not event ...
Regards
Rmkml at Wanadoo.fr
PS: Strange, bro web on first test, not Ack, but after snort test, web bro
Ack !
On Wed, 1 Dec 2004, Christian Kreibich wrote:
> Date: Wed, 01 Dec 2004 01:44:12 +0000
> From: Christian Kreibich <christian at whoop.org>
> To: Bro List <bro at bro-ids.org>
> Subject: Re: [Bro] Check tcp sequence number ?
>
> On Tue, 2004-11-30 at 21:00, rmkml wrote:
>> yes,
>> but explain my pb :
>> $ telnet xxx
>> $ hping2 send Push on tcp open telnet to xxx
>> my xxx Ack, but Push sequence number is bad
>
> You mean intentionally bad (i.e., you set it to some garbage value), I
> presume.
>
>> bro (snort/prelude/firestorm) not event this ...
>> Strange ?
>
> No -- there are precise semantics in TCP regarding what sequence numbers
> are acceptable at a given time, so anything outside of the acceptable
> window is just ignored. There's no danger of confusion here between the
> IDS and the end host, so it's not worth reporting.
>
> Note that Bro *does* report content gaps though.
>
> Regards,
> Christian.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pbseqnum1.tcpdump.bz2
Type: application/octet-stream
Size: 23184 bytes
Desc:
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20041201/5b21401c/attachment.obj
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pbseqnum2.tcpdump.bz2
Type: application/octet-stream
Size: 997 bytes
Desc:
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20041201/5b21401c/attachment-0001.obj
More information about the Bro
mailing list