[Snort-devel] overlapping fragments

Smith, Donald Donald.Smith at ...530...
Wed May 22 07:27:02 EDT 2002


At no time should fragments over lap.
each fragment should reassemble to make one single whole packet.
I can think of NO reason for one frag to overlap/overwrite part of the
previous 
fragment.


Donald.Smith at ...530... GCIA
QIS/WWN Security
303-226-9939 Office
720-320-1537 cell

> -----Original Message-----
> From: Ashley Thomas [mailto:athomas at ...1383...]
> Sent: Tuesday, May 21, 2002 4:46 PM
> To: snort-devel at lists.sourceforge.net
> Subject: [Snort-devel] overlapping fragments
> 
> 
> Hi,
> 
> Overlapping fragments is known to be a misbehaviour. right ?
> So does the IDS need to 'try' to reassemble that set of fragments
> or just give an alert ??
> 
> What should be the ideal behaviour ?
> 
> I think RFC does'nt restrict fragments to be non-overlapping...
> In some cases overlapping fragments can be legitimate, right.
> 
> any pointers/ideas.
> 
> thanks
> ashley
> 
> --------------------------------------------------------------
> ----------
> What I do today is important because I am paying a day of my 
> life for it. 
> --------------------------------------------------------------
> ----------
> 
> _______________________________________________________________
> 
> Don't miss the 2002 Sprint PCS Application Developer's Conference
> August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
> 




More information about the Snort-devel mailing list