[Snort-devel] overlapping fragments

tlewis at ...255... tlewis at ...255...
Wed May 22 08:14:04 EDT 2002

On Wed, 22 May 2002, Smith, Donald  wrote:

> At no time should fragments over lap.
> each fragment should reassemble to make one single whole packet.
> I can think of NO reason for one frag to overlap/overwrite part of the
> previous 
> fragment.

Buggy client IP stacks doing silly retransmit logic.  Also, if you're
overlap detection precedes or is independent of TCP checksum verification,
then a corrupt header can appear to be an overlap.  (Or it is an overlap,
depending on your perspective.)

Networking is an empirical, not a theoretical, science; while it's nice
to have dogmatic views when you're building network programs, it's better
to be agnostic when you're writing a network analysis tool.

A good way to deal with this is to actively rectify the stream and then
run ID on the rectified stream.  If snort v2 has anything like hank's
ability to be an active network agent, then this should be possible.

Todd Lewis
tlewis at ...255...

"Bonsoir, Monet.  Work, work.  It is the most beautiful thing there is
       in the world."  -- Clemenceau

More information about the Snort-devel mailing list