Project

General

Profile

Actions
Copy link

Feature #2281

open
VJ VJ

tcp stream: simpler IDS handling of overlap evasions

Feature #2281: tcp stream: simpler IDS handling of overlap evasions

Added by Victor Julien over 8 years ago. Updated about 1 year ago.

Status:
Assigned
Priority:
Normal
Assignee:
Victor Julien
Target version:
TBD
Effort:
Difficulty:
Label:

Description

Currently we act only on 'ACKed' data so we can use target based reassembly to prevent evasions. This leads to 2 issues:

1. detection/logging always a bit delayed, which is worse in case of sudden flow cut offs. Then handling waits for flow timeout.
2. nobody ever sets the OS/ip mapping.

The idea of this ticket is to act on non-ACK'd data right away, and simply issue a warning (event) if data is different.

Related issues 3 (3 open0 closed)

Related to Suricata - Task #2309: SuriCon 2017 brainstormAssignedVictor JulienActions
Related to Suricata - Task #3288: Suricon 2019 brainstormAssignedVictor JulienActions
Related to Suricata - Bug #3480: EVE JSON - Incorrect Packet LoggedFeedbackOISF DevActions

VJ Updated by Victor Julien over 8 years ago Actions
Copy link
 #1

  • Related to Task #2309: SuriCon 2017 brainstorm added

VJ Updated by Victor Julien over 6 years ago Actions
Copy link
 #2

This mode of operation would look quite a bit like the inline mode for app-layer. For detection it would be a bit more involved.

VJ Updated by Victor Julien over 6 years ago Actions
Copy link
 #3

  • Related to Task #3288: Suricon 2019 brainstorm added

JI Updated by Jason Ish over 3 years ago Actions
Copy link
 #4

  • Related to Bug #3480: EVE JSON - Incorrect Packet Logged added

VJ Updated by Victor Julien about 1 year ago Actions
Copy link
 #5

There is potentially also a performance benefit to this approach.

Actions
Copy link

Also available in: PDF Atom