Actions
Feature #603
closedstream: detect overlapping data in stream reassembly
Effort:
Difficulty:
Label:
Description
Resending of different data in TCP streams is a way to attempt to evade the IDS/IPS. Detect such resends.
Actions
Added by Victor Julien about 13 years ago. Updated about 13 years ago.
Description
Resending of different data in TCP streams is a way to attempt to evade the IDS/IPS. Detect such resends.
Solved by:
commit 6f76ac176d70d85fa2a5719dacdc8fef0ef074dc
Author: Victor Julien <victor@inliniac.net>
Date: Thu Oct 11 21:02:56 2012 +0200
stream: add option to match on overlapping data
Set event on overlapping data segments that have different data.
Add stream-events option stream-event:reassembly_overlap_different_data and
add an example rule.
Issue 603.