Fix BIT-1314: Detect "quantum insert" type of attacks #31

yunzheng · 2015-05-28T10:20:34Z

The patch is the same as https://github.com/fox-it/quantuminsert/tree/master/detection/bro
But a pull request is probably easier for review.

Also added a unit test for the rexmit_inconsistency event using an example Quantum Insert pcap.

TCP_Reassembler can now keep a history of old TCP segments using the `tcp_max_old_segments` option. A value of zero will disable it. An overlapping segment with different data can indicate a possible TCP injection attack. The rexmit_inconsistency event will fire if this is the case.

rsmmr · 2015-06-19T23:25:49Z

I'm going to look at this, might just take me a little bit more to get to it.

I've worked on this a bit more: - Added tcp_max_old_segments to init-bare.bro. - Removed the existing call to Overlap() as that now led to duplicate events. - Fixed the code checking for overlaps, as it didn't catch all the cases. BIT-1314 #merged GitHub #31 merged * topic/yunzheng/bit-1314: BIT-1314: Added QI test for rexmit_inconsistency BIT-1314: Add detection for Quantum Insert attacks

yunzheng added 2 commits May 28, 2015 12:11

BIT-1314: Added QI test for rexmit_inconsistency

2aa214d

rsmmr self-assigned this Jun 19, 2015

bro-bot merged commit 2aa214d into zeek:master Jul 3, 2015

yunzheng deleted the topic/bit-1314 branch September 11, 2015 06:55

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Fix BIT-1314: Detect "quantum insert" type of attacks #31

Fix BIT-1314: Detect "quantum insert" type of attacks #31

yunzheng commented May 28, 2015

rsmmr commented Jun 19, 2015

Fix BIT-1314: Detect "quantum insert" type of attacks #31

Fix BIT-1314: Detect "quantum insert" type of attacks #31

Conversation

yunzheng commented May 28, 2015

rsmmr commented Jun 19, 2015