[Snort-devel] Snort Reassembly Plugin Bug?

Marc Necker marc at ...427...
Mon Jun 11 23:11:03 EDT 2001


Hello Bart,

On Tue, Jun 12, 2001 at 02:16:59AM +0200, Bart van Kuik wrote:

> > I'm going through the code because I am currently interested in how snort
> > handles received overlapping data. I'd appreciate if someone could tell me
> > how it is supposed to do that (i.e. if later arriving data overwrites
> > already buffered data or vice versa).
> 
> You wouldn't happen to have some documentation about that online,
> would you? 

In fact, yes, in the meantime I found information on that in the TCP-RFC
(RFC 793): http://rfc.net/rfc793.html . See page 53, second paragraph.
So I'm not sure if that's handled properly by Snort as the insertion sort
looks dysfunctional to me ... what do you think?

> Anyway, if you're interested, I am busy writing a report on
> IDSes and it contains a chapter on the Snort code. See also
> http://www.vankuik.nl/

Thanks, I'll check that out!

> (It seems Snort is a good study object).

Yes, it really is!


-- 
CU - Marc
EMail: Marc at ...427...




More information about the Snort-devel mailing list