Project

General

Profile

Feature #2281

tcp stream: simpler IDS handling of overlap evasions

Added by Victor Julien over 2 years ago. Updated 4 months ago.

Status:
Assigned
Priority:
Normal
Assignee:
Target version:
Effort:
Difficulty:
Label:

Description

Currently we act only on 'ACKed' data so we can use target based reassembly to prevent evasions. This leads to 2 issues:

1. detection/logging always a bit delayed, which is worse in case of sudden flow cut offs. Then handling waits for flow timeout.
2. nobody ever sets the OS/ip mapping.

The idea of this ticket is to act on non-ACK'd data right away, and simply issue a warning (event) if data is different.


Related issues

Related to Support #2309: SuriCon 2017 brainstormNew12/01/2017Victor JulienActions
Related to Support #3288: Suricon 2019 brainstormNewVictor JulienActions
#1

Updated by Victor Julien about 2 years ago

#2

Updated by Victor Julien 4 months ago

This mode of operation would look quite a bit like the inline mode for app-layer. For detection it would be a bit more involved.

#3

Updated by Victor Julien 4 months ago

Also available in: Atom PDF