[Snort-devel] Evading Snort via splitting ACKs
David J. Bianco
bianco at ...1589...
Wed Sep 25 05:23:03 EDT 2002
On Tue, 2002-09-24 at 09:12, Marc Norton wrote:
> The payload in the final ack of a connection handshake is not all that
> unusual in my experience. I find it very unusual to hear of an IP stack
> accepting a TCP packet with data but without an ACK flag on an
> established connection. After all the ack field is crucial to
> maintaining the proper and complete picture of session sequencing. But,
> alas the actual strictness of this requirement and it's implementation
> is not covered well in the literature. And, as you point out,
> implementations are often found lacking. If you checked out Stevens Vol
> II let us know, it's an interesting point.
Actually, I checked out Stevens vol 1. Chapter 17, page 226 states:
"[...]once a connection is established, this [acknowledgement
number] field is always set and the ACK flag is always on."
So that, plus the RFC seem to add up to a pretty clear requirement.
David J. Bianco, GSEC <bianco at ...1589...>
Thomas Jefferson National Accelerator Facility
GPG Fingerprint: 516A B80D AAB3 1617 A340 227A 723B BFBE B395 33BA
The views expressed herein are solely those of the author and
not those of SURA/Jefferson Lab or the US DOE.
More information about the Snort-devel