[Snort-devel] spo_database & fragments

Martin Roesch roesch at ...48...
Thu Jan 18 03:21:03 EST 2001


I'm beginning to think that the DB should include a table to handle
non-packet alerts, stuff that's part of an aggregate or partial packet
match (like tiny frags).  Thoughts?

    -Marty

Chris Green wrote:
> 
> /* We do not log fragments! They are assumed to be handled
>     by the fragment reassembly pre-processor */
> 
> The minfrag preprocessor will cause the output plugin to record an
> alert but there will be no iphdr/opts/data field associated with the
> packet.  Its not fun to have an alert that no one can find.
> Reassembled packets shouldn't get to the output stage as a fragment
> packet alert AFAICT and instead will appear as a full packet to the
> output.  If nothing else, this should make the spo_database work with
> the same semantics as the spo_alert_fast.c
> 
> The quick fix is to move the if(p->frag_flag) check around and let the
> other fields be created.
> 
> This works in my super quick testing.  Let me know if I broke
> something.
> 
>   ------------------------------------------------------------------------
>                                  Name: spo_database-frag.patch
>    spo_database-frag.patch       Type: text/x-patch
>                           Description: database fragment patch
> 
>   ------------------------------------------------------------------------
> --
> Chris Green <cmg at ...81...>
> Fame may be fleeting but obscurity is forever.

--
Martin Roesch
roesch at ...48...
http://www.snort.org




More information about the Snort-devel mailing list