[Snort-devel] Snort Reassembly Plugin Bug?
marc at ...427...
Mon Jun 11 23:11:03 EDT 2001
On Tue, Jun 12, 2001 at 02:16:59AM +0200, Bart van Kuik wrote:
> > I'm going through the code because I am currently interested in how snort
> > handles received overlapping data. I'd appreciate if someone could tell me
> > how it is supposed to do that (i.e. if later arriving data overwrites
> > already buffered data or vice versa).
> You wouldn't happen to have some documentation about that online,
> would you?
In fact, yes, in the meantime I found information on that in the TCP-RFC
(RFC 793): http://rfc.net/rfc793.html . See page 53, second paragraph.
So I'm not sure if that's handled properly by Snort as the insertion sort
looks dysfunctional to me ... what do you think?
> Anyway, if you're interested, I am busy writing a report on
> IDSes and it contains a chapter on the Snort code. See also
Thanks, I'll check that out!
> (It seems Snort is a good study object).
Yes, it really is!
CU - Marc
EMail: Marc at ...427...
More information about the Snort-devel