Snort mailing list archives
Re: Follow-up
From: Bennett Todd <bet () rahul net>
Date: Mon, 3 Mar 2003 16:27:40 -0500
2003-03-03T15:40:50 Slighter, Tim:
In regards to the RCP overflow, is it possible to specify a "fragbits" option that does not specify a value of "0" ? or will the preprocessor override any values in the rules files?
Preprocessors aren't controlled by rules files, their view of traffic isn't limited by rules. They are run over the traffic before the rules run. BPF rules could be used to totally blind snort to such traffic, so that neither rpc_decode, nor any other preprocessors, nor any rules, would ever see that traffic. -Bennett
Attachment:
_bin
Description:
Current thread:
- Follow-up Slighter, Tim (Mar 03)
- Re: Follow-up Bennett Todd (Mar 03)
- Re: Follow-up Martin Roesch (Mar 04)