AW: AW: [Snort-inline-users] stateless vs. stateful

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

example:

Client ----SYN-----------------> Server 
Client <---SYN/ACK-------------- Server
Client -ACK(GET ../etc/passwd)-> Server
i think for this i need nothing

Client -ACK(GET ../etc/passwd)-> Server
i think for this i need stream4 to protect from stick attacks.
will the packets be ignored or dropped?

Client ----SYN----------> Server 
Client <---SYN/ACK------- Server
Client ----ACK/GET ../)-> Server
Client ----ACK(etc/)----> Server
Client ----ACK(passwd)--> Server
i think for this i need frag2

are this thoughts correct?
do i need stream4 to detect attacks over 2 packets?
what is with iptables because defrag and stream in front?

thanks for help
jo

> > if i use stateless the connection sequence is not checked.
> > what do i loose if i disable stream4?
> 
> You could miss (a lot) of attacks. If an attack fits in one 
> packet you will be 
> fine, however if it doesn't you will probably miss it. 
> Stream4 also protects 
> you against snot/stick attacks.
> 
> Regards,
> Victor
> 