Snort mailing list archives
Re: Frag3 timeout ignored
From: waldo kitty <wkitty42 () windstream net>
Date: Sun, 02 Sep 2012 16:32:30 -0400
On 9/2/2012 03:20, Emeka Agu wrote:
So sorry, it was early in the morning and I wasn't fully functioning!
yeah... for me, too... actually the end of a very long day... thus i typed stream3 when i meant frag3 :/
Anyway In snort I set the timeout for fragments as 30seconds. I know Windows has a 60 second fragment timeout. Using scapy I fragment a packet into two (Wireshark sees the seperation as an IP fragment). I send the first fragment straight away, wait 45 seconds then send the next, thinking the original fragment will be dropped from Snort's buffer but kept by the OS buffer, but Snort STILL notices it reassembles the file and alerts me to the content.
ahhh... ok... i understand better now ;)
As for version, it us the default one on Backtrack 5R2, how can I tell the version?
snort -V that must be a capital 'V'...
My Frag3 line is: preprocessor frag3_engine: policy first detect_anomalies timeout 30
ok...
I notice that I can set the Stream5 timeout to a value too, so maybe I will set that to 30 seconds and see
you caught my mistake :) good that you looked there... that might be where you need to make that setting for what you are trying to do :)
On 2 September 2012 06:19, waldo kitty <wkitty42 () windstream net <mailto:wkitty42 () windstream net>> wrote: On 9/1/2012 22:36, Gmail Personal wrote: > Hi guys, my Frag3 timeout of 30 seconds is ignored when I'm doing some testing > with Scapy > > Is it as simple as putting "timeout 30" in the Frag engine options? you need to explain a bit more details... what do you mean that the timeout is not working? are you expecting that snort will timeout on the stream after 30 seconds or what?? what version of snort are you running? what, exactly, does your stream3 config line look like?? FWIW: all of our crystal balls are in the repair shop due to failures in reading what others are trying to depict with their reports... we only have what you/they can accurately explain to us to work with... "it isn't working" is like saying the "car won't start" and no one can tell if the battery is dead or the gas is watered down... so help us to help you... give us as much detail as you can that is specific to the problem you are having ;)
------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Frag3 timeout ignored Gmail Personal (Sep 01)
- Re: Frag3 timeout ignored waldo kitty (Sep 01)
- Re: Frag3 timeout ignored Emeka Agu (Sep 02)
- Re: Frag3 timeout ignored waldo kitty (Sep 02)
- Programming output module Nikolai Preminin (Sep 03)
- Re: Frag3 timeout ignored Emeka Agu (Sep 02)
- Re: Frag3 timeout ignored waldo kitty (Sep 01)