[Snort-devel] defrag and stream in snort-1.7
larsjaso at ...282...
Fri May 25 10:17:38 EDT 2001
I don't really see overlapping fragments in the wild. Isn't it easier to
alert on all overlapping fragments than to try and figure out what OS is on
the recieving end? I whipped up a preprocessor that looks for them last
summer. I can clean it up and post it if anyone wants, but it would
probably be more efficient as part of one of the other modules.
larsjaso at ...444...
----- Original Message -----
From: "Martin Roesch" <roesch at ...402...>
To: "Burak DAYIOGLU" <dayioglu at ...287...>
Cc: <snort-devel at lists.sourceforge.net>
Sent: Tuesday, May 22, 2001 10:25 PM
Subject: Re: [Snort-devel] defrag and stream in snort-1.7
Yes, we're here but I for one have been busy with several conferences.
Now that I'm finally back home, I'm going to probably take about a day
or three to get through the 795 messages in my inbox. Pity me and
please be patient. ;)
Burak DAYIOGLU wrote:
> ¼ÖºìÊ¯ wrote:
> > I tested defrag using fragrouter,but it did not seem to work.
> > Are there any bugs in defrag and stream preprocessor in snort-1.7
> > or my test method is wrong ?
> If fragrouter can create overlapping fragments to test it will be
> obvious that Snort will not be able to catch up.
> I wrote an email to Mr. Roesch and Mr. Rui regarding overlapping
> fragments and one easy way to overcome this (roughly 2 weeks ago)
> with no answer back. Are they on the list listening?
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
roesch at ...402...
http://www.sourcefire.com - http://www.snort.org
Snort-devel mailing list
Snort-devel at lists.sourceforge.net
More information about the Snort-devel