[Snort-devel] defrag and stream in snort-1.7

Jason Larsen larsjaso at ...282...
Fri May 25 10:17:38 EDT 2001


I don't really see overlapping fragments in the wild.  Isn't it easier to
alert on all overlapping fragments than to try and figure out what OS is on
the recieving end?  I whipped up a preprocessor that looks for them last
summer.  I can clean it up and post it if anyone wants, but it would
probably be more efficient as part of one of the other modules.

Jason Larsen
larsjaso at ...444...

----- Original Message -----
From: "Martin Roesch" <roesch at ...402...>
To: "Burak DAYIOGLU" <dayioglu at ...287...>
Cc: <snort-devel at lists.sourceforge.net>
Sent: Tuesday, May 22, 2001 10:25 PM
Subject: Re: [Snort-devel] defrag and stream in snort-1.7


Yes, we're here but I for one have been busy with several conferences.
Now that I'm finally back home, I'm going to probably take about a day
or three to get through the 795 messages in my inbox.  Pity me and
please be patient. ;)

     -Marty

Burak DAYIOGLU wrote:
>
> ¼Öºìʯ wrote:
> > I tested defrag using fragrouter,but it did not seem to work.
> > Are there any bugs in defrag and stream preprocessor in snort-1.7
> > or my test method is wrong ?
>
> If fragrouter can create overlapping fragments to test it will be
> obvious that Snort will not be able to catch up.
>
> I wrote an email to Mr. Roesch and Mr. Rui regarding overlapping
> fragments and one easy way to overcome this (roughly 2 weeks ago)
> with no answer back. Are they on the list listening?
>
> regards,
> -bd
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> http://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch
roesch at ...402...
http://www.sourcefire.com - http://www.snort.org

_______________________________________________
Snort-devel mailing list
Snort-devel at lists.sourceforge.net
http://lists.sourceforge.net/lists/listinfo/snort-devel







More information about the Snort-devel mailing list