[Snort-devel] overlapping fragments

Ashley Thomas athomas at ...1383...
Tue May 21 15:47:02 EDT 2002


Hi,

Overlapping fragments is known to be a misbehaviour. right ?
So does the IDS need to 'try' to reassemble that set of fragments
or just give an alert ??

What should be the ideal behaviour ?

I think RFC does'nt restrict fragments to be non-overlapping...
In some cases overlapping fragments can be legitimate, right.

any pointers/ideas.

thanks
ashley

------------------------------------------------------------------------
What I do today is important because I am paying a day of my life for it. 
------------------------------------------------------------------------




More information about the Snort-devel mailing list