Check tcp sequence number ?

Hi,

Bro 09a7 check/verify tcp sequence number ?

(fbsd410 platform)

Regards

Rmkml@Wanadoo.fr

Yep sure -- you cannot do flow reassembly (which is necessary for any
analysis beyond the packet level) without looking closely at the TCP
sequence numbers.

Cheers,
Christian.

yes,
but explain my pb :
  $ telnet xxx
  $ hping2 send Push on tcp open telnet to xxx
  my xxx Ack, but Push sequence number is bad
  bro (snort/prelude/firestorm) not event this ...
Strange ?
Regards
Rmkml@Wanadoo.fr

yes,
but explain my pb :
  $ telnet xxx
  $ hping2 send Push on tcp open telnet to xxx
  my xxx Ack, but Push sequence number is bad

You mean intentionally bad (i.e., you set it to some garbage value), I
presume.

  bro (snort/prelude/firestorm) not event this ...
Strange ?

No -- there are precise semantics in TCP regarding what sequence numbers
are acceptable at a given time, so anything outside of the acceptable
window is just ignored. There's no danger of confusion here between the
IDS and the end host, so it's not worth reporting.

Note that Bro *does* report content gaps though.

Regards,
Christian.

Hi,

Thx for reply Christian,

First test with www.bro-ids.org : (join pcap1 file)

Injection packet is n° 4.

Bro09a7 not event ...

another test on www.snort.org (this web not ack, pcap2 file)

Injection packet is n° 4.

Bro09a7 not event ...

Regards

Rmkml@Wanadoo.fr

PS: Strange, bro web on first test, not Ack, but after snort test, web bro Ack !

pbseqnum1.tcpdump.bz2 (22.6 KB)

pbseqnum2.tcpdump.bz2 (997 Bytes)