Snort mailing list archives
Frag3 in CVS HEAD
From: Martin Roesch <roesch () sourcefire com>
Date: Fri, 8 Oct 2004 12:56:31 -0400
Hi all,I tried posting this message a few days ago but Sourceforge appears to have eaten it, let's try again.
A new IP defragmentation preprocessor, Frag3, was checked into CVS HEAD yesterday and is available for testing. Please consider this code EXPERIMENTAL at this time, I've done a good deal of testing on it to date but only on x86 and G4/G5 machines.
Frag3 is a new IP defrag subsystem for Snort that has the following features/improvements over frag2:
* Target-based fragment reassembly (anti-evasion) * User selectable memory management system (memcap or preallocated)* Uses hash tables/linked lists instead of splay trees (much faster than frag2)
* 8 anomaly detection modes * Improved fragment timeout handlingPortions of frag3 are based loosely on the linux IP defragmentation mechanism and frag2's implementation, but in large part the code is all new. I'd like to thank Vern Paxson and Umesh Shankar for their excellent paper that defined the framework for the target-based mechanisms that I have included in frag3. Check it out at http://www.icir.org/vern/papers/activemap-oak03.pdf if you're interested in seeing some really important basic network security research that was necessary to build these target-based systems that I've been ranting about for the last four years.
Docs for the module are available in the doc directory, check out the README.frag3 file for more info and background, as well as the snort.conf file for basic "up and running" information.
As I said, frag3 is considered *experimental* at this point. I've hit it with some pretty serious test cases but it doesn't have a lot of time on real networks or non-linux/OS X platforms at this point. If you're feeling adventurous please download HEAD and check it out! If you find any bugs please let me know and I'll work to address them as quickly as possible.
-Marty
--
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover. Determine. Defend.
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
-------------------------------------------------------
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Frag3 in CVS HEAD Martin Roesch (Oct 05)
- <Possible follow-ups>
- Frag3 in CVS HEAD Martin Roesch (Oct 08)
- Message not available
- Re: [Snort-devel] Frag3 in CVS HEAD Martin Roesch (Oct 11)
- Message not available