[Bro] Check tcp sequence number ?
Christian Kreibich
christian at whoop.org
Tue Nov 30 17:44:12 PST 2004
On Tue, 2004-11-30 at 21:00, rmkml wrote:
> yes,
> but explain my pb :
> $ telnet xxx
> $ hping2 send Push on tcp open telnet to xxx
> my xxx Ack, but Push sequence number is bad
You mean intentionally bad (i.e., you set it to some garbage value), I
presume.
> bro (snort/prelude/firestorm) not event this ...
> Strange ?
No -- there are precise semantics in TCP regarding what sequence numbers
are acceptable at a given time, so anything outside of the acceptable
window is just ignored. There's no danger of confusion here between the
IDS and the end host, so it's not worth reporting.
Note that Bro *does* report content gaps though.
Regards,
Christian.
--
________________________________________________________________________
http://www.cl.cam.ac.uk/~cpk25
http://www.whoop.org
More information about the Bro
mailing list