[Snort-devel] handling multiple packets in snort

Rob McMillen rvmcmil at ...891...
Wed Jan 9 20:05:03 EST 2002


I have a few questions.

1.  Other than the fragment handling preprocessors, are there any other
plugins that require more than one packet to work properly?  Please let me
know if I need to rephrase this question.

Assuming the following is a correct:  fragment handling preprocessors make a
copy of a fragment as it comes in.  Once all fragments arrive, it
reassembles and sends it through the detection process.  Therefore, Snort
sees every single fragment plus the assembled packet.  Please let me know if
I have this wrong.

2.  Once the fragment handling preprocessor reassembles a packet, is the
frag flag set on the packet that it sends back through the detection
process?  If not, is there a way to tell the difference between a regular
packet and a packet assembled by the fragment handler?

Thanks in advance,

Rob







More information about the Snort-devel mailing list