Network Instruments GigaStor User Manual page 47

Field
TCP Stream Reassembly
TCP Stream Reassembly
(Continued)
Description
BSD=AIX, FreeBSD, HP-UX B.10.20, IRIX, IRIX64, NCD Thin Clients, OpenVMS, OS/2,
OSF1, SunOS 4.1.4, Tru64 Unix, VAX/VMS
Last data in=Cisco IOS
BSD-right=HP JetDirect (printer)
First data in=HP-UX 11.00, MacOS, SunOS 5.5.1 through 5.8
Linux=Linux, OpenBSD
Solaris=Solaris
Windows=Windows (95/98/NT4/W2K/XP)
Refer to http://www.snort.org
The remaining options allow you to enable logging of alerts and reconstruction
progress, limit the number of activepacket fragments to track, and change the
length of fragment inactivity that causes the fragment to be dropped from
analysis.
Another IDS evasion technique is to fragment the attack across multiple TCP
segments. Because hackers know that IDS systems attempt to reconstruct
TCP streams, they use a number of techniques to confuse the IDS so that it
reconstructs an incorrect stream (in other words, the IDS processes the stream
differently from that of the intended target). As with IP fragmentation, forensic
analysis must be configured to mimic how the host processes ambiguous and
overlapping TCP segments, and the topology between attacker and target to
accurately reassemble the same stream that landed on the target. Re-assembly
options are described below:
Log preprocessor events—Checking this box causes forensic analysis to display
all activity generated by the TCP stream assembly preprocessor to the log.
Maximum active TCP streams tracked—If this value is set too high given the
size of the buffer being analyzed, performance can suffer because of memory
consumption. If this value is set too low, forensic analysis can be susceptible to
denial of service attacks upon the IDS itself (i.e., the attack on the target is carried
out after the IDS has used up its simultaneous sessions allocation).
Drop TCP streams inactive for this duration—A TCP session is dropped from
analysis as soon as it has been closed by an RST message or FIN handshake, or
after the time-out threshold for inactivity has been reached. Exercise caution
when adjusting the time-out, because hackers can use TCP tear-down policies
(and the differences between how analyzers handle inactivity vs. various
operating systems) to evade detection.
TTL delta alert limit—Some attackers depend on knowledge of the target
system's location relative to the IDS to send different streams of packets to each
by manipulating TTL (Time To Live) values. Any large swing in Time To Live (TTL)
values within a stream segment can be evidence of this kind of evasion attempt.
Set the value too high, and analysis will miss these attempts. Setting the value too
low can result in excessive false positives.
Overlapping packet alert threshold—The reassembly preprocessor will
generate an alert when more than this number of packets within a stream have
overlapping sequence numbers.
Process only established streams—Check this box if you want analysis to
recognize streams established during the given packet capture.
Reconstruct Client to Server streams—Check this box to have analysis actually
reconstruct streams received by servers.
for more detailed version-specific information.
Creating a Forensic Settings profile | 47