Snort mailing list archives
Re: preprocessor normalize_tcp: ips
From: Jason Wallace <jason.r.wallace () gmail com>
Date: Tue, 10 Jan 2012 11:36:07 -0500
I understand now. Thx! On Tue, Jan 10, 2012 at 11:31 AM, Russ Combs <rcombs () sourcefire com> wrote:
On Tue, Jan 10, 2012 at 9:06 AM, Jason Wallace <jason.r.wallace () gmail com> wrote:So is it safe to say that this option should not be used in an environment with a large number of host OSs that use a different reassembly method?Wally, in inline mode, normalize_tcp: ips forces the reassembly policy to first and ensures that any retransmitted data is the same as the original. It therefore won't matter how the hosts do reassembly. So this option should be used if you are inline.On Mon, Jan 9, 2012 at 4:31 PM, Russ Combs <rcombs () sourcefire com> wrote:On Mon, Jan 9, 2012 at 12:18 PM, Jason Wallace <jason.r.wallace () gmail com> wrote:Howdy, The manual states that if you set "preprocessor normalize_tcp: ips" that the ips option "ensure consistency in retransmitted data (also forces reassembly policy to "first"). Any segments that can't be properly reassembled will be dropped." Is this for streams or fragments?Streams only.Also, How does this affect later settings for stream5 and frag3? Does it make host specific settings irrelevant?It only overrides the reassembly policy.Thx, Wally ------------------------------------------------------------------------------ Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex infrastructure or vast IT resources to deliver seamless, secure access to virtual desktops. With this all-in-one solution, easily deploy virtual desktops for less than the cost of PCs and save 60% on VDI infrastructure costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- preprocessor normalize_tcp: ips Jason Wallace (Jan 09)
- Re: preprocessor normalize_tcp: ips Russ Combs (Jan 09)
- Re: preprocessor normalize_tcp: ips Jason Wallace (Jan 10)
- Re: preprocessor normalize_tcp: ips Russ Combs (Jan 10)
- Re: preprocessor normalize_tcp: ips Jason Wallace (Jan 10)
- Re: preprocessor normalize_tcp: ips Jason Wallace (Jan 10)
- Re: preprocessor normalize_tcp: ips Russ Combs (Jan 09)