Re: Frag3 timeout ignored

[waldo kitty <wkitty42 () windstream net>]

On 9/2/2012 03:20, Emeka Agu wrote:
> So sorry, it was early in the morning and I wasn't fully functioning!

yeah... for me, too... actually the end of a very long day... thus i typed 
stream3 when i meant frag3 :/

> Anyway
>
> In snort I set the timeout for fragments as 30seconds. I know Windows has a 60
> second fragment timeout. Using scapy I fragment a packet into two (Wireshark
> sees the seperation as an IP fragment).
>
> I send the first fragment straight away, wait 45 seconds then send the next,
> thinking the original fragment will be dropped from Snort's buffer but kept by
> the OS buffer, but Snort STILL notices it reassembles the file and alerts me to
> the content.

ahhh... ok... i understand better now ;)

> As for version, it us the default one on Backtrack 5R2, how can I tell the
> version?

snort -V

that must be a capital 'V'...

> My Frag3 line is:
>
> preprocessor frag3_engine: policy first detect_anomalies timeout 30

ok...

> I notice that I can set the Stream5 timeout to a value too, so maybe I will set that to 30 seconds and see

you caught my mistake :) good that you looked there... that might be where you 
need to make that setting for what you are trying to do :)

> On 2 September 2012 06:19, waldo kitty <wkitty42 () windstream net
> <mailto:wkitty42 () windstream net>> wrote:
>
>     On 9/1/2012 22:36, Gmail Personal wrote:
>      > Hi guys, my Frag3 timeout of 30 seconds is ignored when I'm doing some
>     testing
>      > with Scapy
>      >
>      > Is it as simple as putting "timeout 30" in the Frag engine options?
>
>     you need to explain a bit more details... what do you mean that the timeout is
>     not working?
>
>     are you expecting that snort will timeout on the stream after 30 seconds or
>     what??
>
>     what version of snort are you running?
>
>     what, exactly, does your stream3 config line look like??
>
>     FWIW: all of our crystal balls are in the repair shop due to failures in reading
>     what others are trying to depict with their reports... we only have what
>     you/they can accurately explain to us to work with... "it isn't working" is like
>     saying the "car won't start" and no one can tell if the battery is dead or the
>     gas is watered down...
>
>     so help us to help you... give us as much detail as you can that is specific to
>     the problem you are having ;)


------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and 
threat landscape has changed and how IT managers can respond. Discussions 
will include endpoint security, mobile security and the latest in malware 
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!