Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: out of order ip fragments and frag3

From: Joel Esler <jesler () sourcefire com>
Date: Thu, 14 Jan 2010 13:29:39 -0500
Snort reassembles ip fragments based upon the operating system that frag3 is
configured to reassemble the ip packet stream for.

For instance, if I have two boxes,

One Solaris
One Windows

...and I have frag3 set up to monitor these ip's and reassemble fragments
going to these boxes as the end-host operating system would reassemble them,
then frag3 will take care of the out of order ip fragments based upon how
the OS would handle it.

All that being said, I encourage you to check out doc/README.frag3 and the
Snort Manual for further details on the configuration and operation of the
frag3 preprocessor.

J

On Thu, Jan 14, 2010 at 12:01 PM, <alessandrorguard-snortml () yahoo it> wrote:


Hi all!!
Does snort/frag3 manage out of order ip fragments?
if yes, is there a way to configure it?
if not, are them managed like non fragmented packet?

Thanks!
Alessandro






------------------------------------------------------------------------------
Throughout its 18-year history, RSA Conference consistently attracts the
world's best and brightest in the field, creating opportunities for
Conference
attendees to learn about information security's most important issues
through
interactions with peers, luminaries and emerging and established companies.
http://p.sf.net/sfu/rsaconf-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users





-- 
Joel Esler

------------------------------------------------------------------------------
Throughout its 18-year history, RSA Conference consistently attracts the
world's best and brightest in the field, creating opportunities for Conference
attendees to learn about information security's most important issues through
interactions with peers, luminaries and emerging and established companies.
http://p.sf.net/sfu/rsaconf-dev2dev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: