Snort mailing list archives
Re: Frag3 timeout ignored
From: Emeka Agu <mainmen1985 () gmail com>
Date: Sun, 2 Sep 2012 08:20:54 +0100
So sorry, it was early in the morning and I wasn't fully functioning! Anyway In snort I set the timeout for fragments as 30seconds. I know Windows has a 60 second fragment timeout. Using scapy I fragment a packet into two (Wireshark sees the seperation as an IP fragment). I send the first fragment straight away, wait 45 seconds then send the next, thinking the original fragment will be dropped from Snort's buffer but kept by the OS buffer, but Snort STILL notices it reassembles the file and alerts me to the content. As for version, it us the default one on Backtrack 5R2, how can I tell the version? My Frag3 line is: preprocessor frag3_engine: policy first detect_anomalies timeout 30 I notice that I can set the Stream5 timeout to a value too, so maybe I will set that to 30 seconds and see On 2 September 2012 06:19, waldo kitty <wkitty42 () windstream net> wrote:
On 9/1/2012 22:36, Gmail Personal wrote:Hi guys, my Frag3 timeout of 30 seconds is ignored when I'm doing sometestingwith Scapy Is it as simple as putting "timeout 30" in the Frag engine options?you need to explain a bit more details... what do you mean that the timeout is not working? are you expecting that snort will timeout on the stream after 30 seconds or what?? what version of snort are you running? what, exactly, does your stream3 config line look like?? FWIW: all of our crystal balls are in the repair shop due to failures in reading what others are trying to depict with their reports... we only have what you/they can accurately explain to us to work with... "it isn't working" is like saying the "car won't start" and no one can tell if the battery is dead or the gas is watered down... so help us to help you... give us as much detail as you can that is specific to the problem you are having ;) ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Frag3 timeout ignored Gmail Personal (Sep 01)
- Re: Frag3 timeout ignored waldo kitty (Sep 01)
- Re: Frag3 timeout ignored Emeka Agu (Sep 02)
- Re: Frag3 timeout ignored waldo kitty (Sep 02)
- Programming output module Nikolai Preminin (Sep 03)
- Re: Frag3 timeout ignored Emeka Agu (Sep 02)
- Re: Frag3 timeout ignored waldo kitty (Sep 01)