mkettler at ...4108...
Tue Apr 29 09:16:56 EDT 2003
From what I read, sidestep does a fragmentation style attack, but rather
than using the IP or TCP layers (which is what fragrouter and the like do),
it uses features of particular application protocols to do it.
So basically in this example it's making a bunch of redundant commands to
RPC, and at the application layer, apparently RPC will re-assemble it.
Another discussion can be found here:
I think that sidestep, and similar attacks, is one reason why snort has a
At 01:35 PM 4/29/2003 +0100, Jill Tovey wrote:
>Anyway, as you can see the packet data is very different, but the first
>44 bytes are the same, this is probably why snort is detecting the
>So would anyone like to attempt an explanation as to how this tries to
>Any comments much appreciated,
More information about the Snort-users