Re: fragrouter missed beginning

[Chris Green <cmg () sourcefire com>]

Jason Yates <jyates () dataservice org> writes:

> I kinda caught the fragrouter argument in the middle.  Does anyone have
> a link of some sort that explains how fragrouter can bypass snort?

I'm about to formalize but the jist of it is that when breaking
packets / data apart on the network, there was a problem in forming it
back into something the IDS could alert.

Just for an example, what was happening on reassembly is that overlaps
were being constructed opposite from what most hosts see so the
traffic being sent through the detection engine was actually basically
looking at the wrong half of the traffic.

Check out http://marc.theaimsgroup.com/?l=snort-users and find my
initial response message from monday for a bit more 
-- 
Chris Green <cmg () sourcefire com>
You now have 14 minutes to reach minimum safe distance.


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users