Snort mailing list archives
Re: snort DCE/RPC reassemble_threshold
From: "Lawrence R. Hughes, Sr." <lhughes () safemedia com>
Date: Tue, 21 Dec 2010 12:24:21 -0500
Ryan, Thanks, I did find the README.DECRPC2 after I sent the message. My question is why if DCE/RPC was depreciated in snort 2.8.6.1 The README.DECRPC has a version for 2.8.6.1 listed here: http://cvs.snort.org/viewcvs.cgi/snort/doc/Attic/README.dcerpc?logsort=date&search=None&hideattic=1&sortby=file&hidecvsroot=1&diff_format=h Thanks, Larry ----- Original Message ----- From: "Ryan Jordan" <ryan.jordan () sourcefire com> To: "Lawrence R. Hughes, Sr." <lhughes () safemedia com> Cc: <snort-users () lists sourceforge net> Sent: Tuesday, December 21, 2010 12:14 PM Subject: Re: [Snort-users] snort DCE/RPC reassemble_threshold Hi Larry, The README.dcerpc that you linked was tied to the old dcerpc preprocessor, which we removed in Snort 2.9.0. We replaced it with dcerpc2 a couple years ago, whose README you can find here: http://cvs.snort.org/viewcvs.cgi/snort/doc/README.dcerpc2
From the README:
reassemble_threshold Specifies a minimum number of bytes in the DCE/RPC desegmentation and defragmentation buffers before creating a reassembly packet to send to the detection engine. This option is useful in inline mode so as to potentially catch an exploit early before full defragmentation is done. A value of 0 supplied as an argument to this option will, in effect, disable this option. Default is disabled. -Ryan On Tue, Dec 21, 2010 at 12:04 PM, Lawrence R. Hughes, Sr. <lhughes () safemedia com> wrote:
Hi, The default snort.conf file has: preprocessor dcerpc2: reassemble_threshold yet when looking at the snort manul reassemble_threshold is never mentioned also the README.dcerpc does not mention it. What is it and what does it do? Thanks, Larry ------------------------------------------------------------------------------ Forrester recently released a report on the Return on Investment (ROI) of Google Apps. They found a 300% ROI, 38%-56% cost savings, and break-even within 7 months. Over 3 million businesses have gone Google with Google Apps: an online email calendar, and document program that's accessible from your browser. Read the Forrester report: http://p.sf.net/sfu/googleapps-sfnew _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Forrester recently released a report on the Return on Investment (ROI) of Google Apps. They found a 300% ROI, 38%-56% cost savings, and break-even within 7 months. Over 3 million businesses have gone Google with Google Apps: an online email calendar, and document program that's accessible from your browser. Read the Forrester report: http://p.sf.net/sfu/googleapps-sfnew _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort DCE/RPC reassemble_threshold Lawrence R. Hughes, Sr. (Dec 21)
- Re: snort DCE/RPC reassemble_threshold Ryan Jordan (Dec 21)
- Re: snort DCE/RPC reassemble_threshold Lawrence R. Hughes, Sr. (Dec 21)
- Re: snort DCE/RPC reassemble_threshold Ryan Jordan (Dec 21)
- Re: snort DCE/RPC reassemble_threshold Lawrence R. Hughes, Sr. (Dec 21)
- Re: snort DCE/RPC reassemble_threshold Ryan Jordan (Dec 21)