[Snort-devel] spo_database & fragments

Chris Green cmg at ...81...
Wed Dec 20 19:36:14 EST 2000


/* We do not log fragments! They are assumed to be handled 
    by the fragment reassembly pre-processor */

The minfrag preprocessor will cause the output plugin to record an
alert but there will be no iphdr/opts/data field associated with the
packet.  Its not fun to have an alert that no one can find.
Reassembled packets shouldn't get to the output stage as a fragment
packet alert AFAICT and instead will appear as a full packet to the
output.  If nothing else, this should make the spo_database work with
the same semantics as the spo_alert_fast.c

The quick fix is to move the if(p->frag_flag) check around and let the
other fields be created.

This works in my super quick testing.  Let me know if I broke
something.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: spo_database-frag.patch
Type: text/x-patch
Size: 1864 bytes
Desc: database fragment patch
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20001220/d834f5fe/attachment.bin>
-------------- next part --------------
-- 
Chris Green <cmg at ...81...>
Fame may be fleeting but obscurity is forever.


More information about the Snort-devel mailing list