Snort mailing list archives

Re: Follow-up

From: Bennett Todd <bet () rahul net>
Date: Mon, 3 Mar 2003 16:27:40 -0500

2003-03-03T15:40:50 Slighter, Tim:

In regards to the RCP overflow, is it possible to specify a "fragbits"
option that does not specify a value of "0" ?
or will the preprocessor override any values in the rules files?


Preprocessors aren't controlled by rules files, their view of
traffic isn't limited by rules. They are run over the traffic before
the rules run.

BPF rules could be used to totally blind snort to such traffic, so
that neither rpc_decode, nor any other preprocessors, nor any rules,
would ever see that traffic.

-Bennett

Attachment: _bin
Description:

Current thread:

Follow-up Slighter, Tim (Mar 03)
- Re: Follow-up Bennett Todd (Mar 03)
- Re: Follow-up Martin Roesch (Mar 04)