Snort mailing list archives

frag3 preprocessor type definitions

From: "Crook, Parker" <Parker_Crook () reyrey com>
Date: Thu, 13 Jan 2011 16:40:29 -0500

Howdy,

I was thumbing through the 2.9.0 manual for any changes and noticed on page 40 that the policy type definitions and the 
default value in the snort.conf that comes in the source don't mesh well...

From the snort.conf in 2.9.0.3 source:

preprocessor frag3_engine: policy windows [...]

From the manual (emphasis mine):


Platform                                                              Type
Windows (95/98/NT4/W2K/XP)                 First
...
Preprocessor frag3_engine: policy first [...]


I am currently running with the policy 'windows' in place and snort is not complaining, in fact from my logs:
Jan 13 16:15:01 INSMT01-MON01 snort[26083]: Frag3 engine config:
Jan 13 16:15:01 INSMT01-MON01 snort[26083]:     Target-based policy: WINDOWS
Jan 13 16:15:01 INSMT01-MON01 snort[26083]:     Fragment timeout: 180 seconds
Jan 13 16:15:01 INSMT01-MON01 snort[26083]:     Fragment min_ttl:   1
Jan 13 16:15:01 INSMT01-MON01 snort[26083]:     Fragment Problems: 1
Jan 13 16:15:01 INSMT01-MON01 snort[26083]:     Overlap Limit:     10
Jan 13 16:15:01 INSMT01-MON01 snort[26083]:     Min fragment Length:     100

I did check the spp_frag3.c source and found the FRAG_POLICY_WINDOWS right after FRAG_POLICY_FIRST.  Is there any 
functional difference in the two modes or are they redundant?  If they are functionally different can you explain in 
which scenarios you should use one over the other?

Thanks,
Parker

------------------------------------------------------------------------------
Protect Your Site and Customers from Malware Attacks
Learn about various malware tactics and how to avoid them. Understand 
malware threats, the impact they can have on your business, and how you 
can protect your company and customers by using code signing.
http://p.sf.net/sfu/oracle-sfdevnl

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

frag3 preprocessor type definitions Crook, Parker (Jan 13)
- Re: frag3 preprocessor type definitions Joel Esler (Jan 13)
- Re: frag3 preprocessor type definitions Joel Esler (Jan 14)