[Bro] Check tcp sequence number ?
rmkml
rmkml at wanadoo.fr
Tue Nov 30 13:00:11 PST 2004
yes,
but explain my pb :
$ telnet xxx
$ hping2 send Push on tcp open telnet to xxx
my xxx Ack, but Push sequence number is bad
bro (snort/prelude/firestorm) not event this ...
Strange ?
Regards
Rmkml at Wanadoo.fr
On Tue, 30 Nov 2004, Christian Kreibich wrote:
> Date: Tue, 30 Nov 2004 16:56:36 +0000
> From: Christian Kreibich <christian at whoop.org>
> To: Bro List <bro at bro-ids.org>
> Subject: Re: [Bro] Check tcp sequence number ?
>
> On Tue, 2004-11-30 at 06:48, rmkml wrote:
>> Hi,
>>
>> Bro 09a7 check/verify tcp sequence number ?
>
> Yep sure -- you cannot do flow reassembly (which is necessary for any
> analysis beyond the packet level) without looking closely at the TCP
> sequence numbers.
>
> Cheers,
> Christian.
> --
> ________________________________________________________________________
> http://www.cl.cam.ac.uk/~cpk25
> http://www.whoop.org
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
More information about the Bro
mailing list