Frag3 target default setting

[Research <research () nativemethods com>]

Hi,

I have noticed that in the default snort.conf file that ships with Snort 2.9.7.0, the frag3 preprocessor’s setting for 
“policy” is “windows:

        preprocessor frag3_engine: policy windows detect_anomalies overlap_limit 10 min_fragment_length 100 timeout 180

Based on the latest Snort manual, I note the following about target based assembly:

        "The basic idea behind target-based IDS is that we tell the IDS information about hosts on the network so that 
it can 
        avoid Ptacek & Newsham style evasion attacks based on information about how an individual target IP stack 
operates.”

In my case, I am using Snort in passive mode on a web server based on Linux.  The target that I am protecting is not a 
network,
but a single Linux host.

In this case, should I not change the policy to linux, as in:

        preprocessor frag3_engine: policy linux detect_anomalies overlap_limit 10 min_fragment_length 100 timeout 180

…or am I a) incorrect or b) the differences are minimal ?

Thanks
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!