Menu
▾
▴
AW: AW: AW: [Snort-inline-users] stateless vs. stateful
|
From: Jochen V. <jv...@it...> - 2004-11-22 17:02:25
|
ok. once again. slowly for the slow coach. when do i need frag2, stream4, stream4_reassembly if i use iptables in bridging mode or in routing mode and how did they work exactly. thanks for help. i must it understand exactly or i cant sleep in the next days ;) greets jo >Client ----SYN-----------------> Server >Client <---SYN/ACK-------------- Server >Client -ACK(GET ../etc/passwd)-> Server >i think for this i need nothing >Client -ACK(GET ../etc/passwd)-> Server >i think for this i need stream4 to protect from stick attacks. >will the packets be ignored or dropped? stick attacks don't exactly look like this, but stream4 will drop out of state connection attempts i.e. stick/snot. >Client ----SYN----------> Server >Client <---SYN/ACK------- Server >Client ----ACK/GET ../)-> Server >Client ----ACK(etc/)----> Server >Client ----ACK(passwd)--> Server >i think for this i need frag2 >are this thoughts correct? >do i need stream4 to detect attacks over 2 packets? >what is with iptables because defrag and stream in front? errr ummmm once again a fragmented attack doesn't exactly look like this, but if you are tracking state with iptables or using NAT, then iptables is doing fragment reassembly for you. In which case you don't need frag2. Regards, Will Jochen Vogel <jv...@it...> Jochen Vogel <jv...@it...> Sent by: sno...@li... 11/22/2004 06:52 AM To 'Victor Julien' <vi...@nk...> cc sno...@li... Subject AW: AW: [Snort-inline-users] stateless vs. stateful example: Client ----SYN-----------------> Server Client <---SYN/ACK-------------- Server Client -ACK(GET ../etc/passwd)-> Server i think for this i need nothing Client -ACK(GET ../etc/passwd)-> Server i think for this i need stream4 to protect from stick attacks. will the packets be ignored or dropped? Client ----SYN----------> Server Client <---SYN/ACK------- Server Client ----ACK/GET ../)-> Server Client ----ACK(etc/)----> Server Client ----ACK(passwd)--> Server i think for this i need frag2 are this thoughts correct? do i need stream4 to detect attacks over 2 packets? what is with iptables because defrag and stream in front? thanks for help jo > > if i use stateless the connection sequence is not checked. > > what do i loose if i disable stream4? > > You could miss (a lot) of attacks. If an attack fits in one > packet you will be > fine, however if it doesn't you will probably miss it. > Stream4 also protects > you against snot/stick attacks. > > Regards, > Victor > ------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ _______________________________________________ Snort-inline-users mailing list Sno...@li... https://lists.sourceforge.net/lists/listinfo/snort-inline-users |
