Re: frag3 preprocessor type definitions

[Joel Esler <jesler () sourcefire com>]

First favors the fragment that arrived first.  *the original fragment with a given offset*
Windows favors the fragment that arrived last if it begins at an offset smaller than the original fragment and ends at 
an offset greater than the original fragment's offset.  Otherwise, the Windows policy favors the fragment that arrived 
first.

Joel

On Jan 13, 2011, at 4:40 PM, Crook, Parker wrote:

> Howdy,
>  
> I was thumbing through the 2.9.0 manual for any changes and noticed on page 40 that the policy type definitions and 
> the default value in the snort.conf that comes in the source don’t mesh well…
>  
> From the snort.conf in 2.9.0.3 source:
> preprocessor frag3_engine: policy windows […]
>  
> From the manual (emphasis mine):
>  
> Platform                                                              Type
> Windows (95/98/NT4/W2K/XP)                 First
> …
> Preprocessor frag3_engine: policy first […]
>  
>  
> I am currently running with the policy ‘windows’ in place and snort is not complaining, in fact from my logs:
> Jan 13 16:15:01 INSMT01-MON01 snort[26083]: Frag3 engine config:
> Jan 13 16:15:01 INSMT01-MON01 snort[26083]:     Target-based policy: WINDOWS
> Jan 13 16:15:01 INSMT01-MON01 snort[26083]:     Fragment timeout: 180 seconds
> Jan 13 16:15:01 INSMT01-MON01 snort[26083]:     Fragment min_ttl:   1
> Jan 13 16:15:01 INSMT01-MON01 snort[26083]:     Fragment Problems: 1
> Jan 13 16:15:01 INSMT01-MON01 snort[26083]:     Overlap Limit:     10
> Jan 13 16:15:01 INSMT01-MON01 snort[26083]:     Min fragment Length:     100
>  
> I did check the spp_frag3.c source and found the FRAG_POLICY_WINDOWS right after FRAG_POLICY_FIRST.  Is there any 
> functional difference in the two modes or are they redundant?  If they are functionally different can you explain in 
> which scenarios you should use one over the other?
>  
> Thanks,
> Parker
>  
> ------------------------------------------------------------------------------
> Protect Your Site and Customers from Malware Attacks
> Learn about various malware tactics and how to avoid them. Understand 
> malware threats, the impact they can have on your business, and how you 
> can protect your company and customers by using code signing.
> http://p.sf.net/sfu/oracle-sfdevnl_______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Joel Esler
jesler () sourcefire com
http://blog.snort.org && http://blog.clamav.net

------------------------------------------------------------------------------
Protect Your Site and Customers from Malware Attacks
Learn about various malware tactics and how to avoid them. Understand 
malware threats, the impact they can have on your business, and how you 
can protect your company and customers by using code signing.
http://p.sf.net/sfu/oracle-sfdevnl

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users