Actions
Feature #2281
opentcp stream: simpler IDS handling of overlap evasions
Effort:
Difficulty:
Label:
Description
Currently we act only on 'ACKed' data so we can use target based reassembly to prevent evasions. This leads to 2 issues:
1. detection/logging always a bit delayed, which is worse in case of sudden flow cut offs. Then handling waits for flow timeout.
2. nobody ever sets the OS/ip mapping.
The idea of this ticket is to act on non-ACK'd data right away, and simply issue a warning (event) if data is different.
Updated by Victor Julien almost 7 years ago
- Related to Task #2309: SuriCon 2017 brainstorm added
Updated by Victor Julien about 5 years ago
This mode of operation would look quite a bit like the inline mode for app-layer. For detection it would be a bit more involved.
Updated by Victor Julien about 5 years ago
- Related to Task #3288: Suricon 2019 brainstorm added
Updated by Jason Ish about 2 years ago
- Related to Bug #3480: EVE JSON - Incorrect Packet Logged added
Actions