Snort mailing list archives
Re: frag3 preprocessor type definitions
From: Joel Esler <jesler () sourcefire com>
Date: Thu, 13 Jan 2011 17:00:13 -0500
First favors the fragment that arrived first. *the original fragment with a given offset* Windows favors the fragment that arrived last if it begins at an offset smaller than the original fragment and ends at an offset greater than the original fragment's offset. Otherwise, the Windows policy favors the fragment that arrived first. Joel On Jan 13, 2011, at 4:40 PM, Crook, Parker wrote:
Howdy, I was thumbing through the 2.9.0 manual for any changes and noticed on page 40 that the policy type definitions and the default value in the snort.conf that comes in the source don’t mesh well… From the snort.conf in 2.9.0.3 source: preprocessor frag3_engine: policy windows […] From the manual (emphasis mine): Platform Type Windows (95/98/NT4/W2K/XP) First … Preprocessor frag3_engine: policy first […] I am currently running with the policy ‘windows’ in place and snort is not complaining, in fact from my logs: Jan 13 16:15:01 INSMT01-MON01 snort[26083]: Frag3 engine config: Jan 13 16:15:01 INSMT01-MON01 snort[26083]: Target-based policy: WINDOWS Jan 13 16:15:01 INSMT01-MON01 snort[26083]: Fragment timeout: 180 seconds Jan 13 16:15:01 INSMT01-MON01 snort[26083]: Fragment min_ttl: 1 Jan 13 16:15:01 INSMT01-MON01 snort[26083]: Fragment Problems: 1 Jan 13 16:15:01 INSMT01-MON01 snort[26083]: Overlap Limit: 10 Jan 13 16:15:01 INSMT01-MON01 snort[26083]: Min fragment Length: 100 I did check the spp_frag3.c source and found the FRAG_POLICY_WINDOWS right after FRAG_POLICY_FIRST. Is there any functional difference in the two modes or are they redundant? If they are functionally different can you explain in which scenarios you should use one over the other? Thanks, Parker ------------------------------------------------------------------------------ Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Joel Esler jesler () sourcefire com http://blog.snort.org && http://blog.clamav.net
------------------------------------------------------------------------------ Protect Your Site and Customers from Malware Attacks Learn about various malware tactics and how to avoid them. Understand malware threats, the impact they can have on your business, and how you can protect your company and customers by using code signing. http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- frag3 preprocessor type definitions Crook, Parker (Jan 13)
- Re: frag3 preprocessor type definitions Joel Esler (Jan 13)
- Re: frag3 preprocessor type definitions Joel Esler (Jan 14)