![snort logo](/images/snort-logo.png)
Snort mailing list archives
Re: fragrouter missed beginning
From: Chris Green <cmg () sourcefire com>
Date: Wed, 24 Apr 2002 15:10:03 -0400
Jason Yates <jyates () dataservice org> writes:
I kinda caught the fragrouter argument in the middle. Does anyone have a link of some sort that explains how fragrouter can bypass snort?
I'm about to formalize but the jist of it is that when breaking packets / data apart on the network, there was a problem in forming it back into something the IDS could alert. Just for an example, what was happening on reassembly is that overlaps were being constructed opposite from what most hosts see so the traffic being sent through the detection engine was actually basically looking at the wrong half of the traffic. Check out http://marc.theaimsgroup.com/?l=snort-users and find my initial response message from monday for a bit more -- Chris Green <cmg () sourcefire com> You now have 14 minutes to reach minimum safe distance. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- fragrouter missed beginning Jason Yates (Apr 24)
- Re: fragrouter missed beginning Chris Green (Apr 24)