[Snort-devel] Evading Snort via splitting ACKs

David J. Bianco bianco at ...1589...
Wed Sep 25 05:23:03 EDT 2002

On Tue, 2002-09-24 at 09:12, Marc Norton wrote:

> The payload in the final ack of a connection handshake is not all that
> unusual in my experience.  I find it very unusual to hear of an IP stack
> accepting a TCP packet with data but without an ACK flag on an
> established connection.  After all the ack field is crucial to
> maintaining the proper and complete picture of session sequencing.  But,
> alas the actual strictness of this requirement and it's implementation
> is not covered well in the literature.   And, as you point out,
> implementations are often found lacking.  If you checked out Stevens Vol
> II let us know, it's an interesting point.

Actually, I checked out Stevens vol 1.  Chapter 17, page 226 states:

	"[...]once a connection is established, this [acknowledgement
	number] field is always set and the ACK flag is always on."

So that, plus the RFC seem to add up to a pretty clear requirement.


David J. Bianco, GSEC		<bianco at ...1589...>
Thomas Jefferson National Accelerator Facility
GPG Fingerprint:   516A B80D AAB3 1617 A340  227A 723B BFBE B395 33BA

     The views expressed herein are solely those of the author and
	    not those of SURA/Jefferson Lab or the US DOE.

More information about the Snort-devel mailing list