|
Firewall Wizards
mailing list archives
Re: TCP segments with overlapping data
From: Ng Pheng Siong <ngps () post1 com>
Date: Thu, 6 Dec 2001 01:02:46 +0800
On Mon, Dec 03, 2001 at 06:37:14PM -0500, miedaner wrote:
My question is what is TCP overlapping data?
What is the vulnerability associated?
As explained by Vern.
Next, you may want to determine if this TCP overlapping traffic you're
seeing is benign or hostile.
- Tabulate the remote IP addresses sending such traffic. See if you can
eye-ball any trend or grouping.
- If you spot a trend or a group, put a sniffer to capture more of the
traffic and study the traffic.
(Is your IDS probe in front or behind your firewall?)
Before you do the above though: Does your security policy or incident
response manual tell you how much to follow up in such situations?
If not, what is the point of installing the IDS, or, IOW, how do you go
from reading your IDS's output to deciding that you should invoke your
local SIRT?
Cheers.
--
Ng Pheng Siong <ngps () post1 com> * http://www.post1.com/home/ngps
_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards
 By Date 
By Thread
Current thread:
|
Intro
