[Snort-devel] Incomplete Packet Fragments Discarded

Ashley Thomas athomas at ...1383...
Wed Jan 29 19:22:04 EST 2003


Hi,

Greetings.

I was trying to figure out when and how is this alert - Incomplete 
Packet Fragments Discarded
generated. The alert 'Incomplete Packet Fragments Discarded' seem to be 
printed
from spp_defrag.c. For snort.1.8.6 version, or earlier which is the 
fragmentation
reassembly module used by default ?

Also, the alert seems to be in ReassembleIP() function
and seems like the alert is triggered and fragments are discarded,
when the fragments are not complete. ( are the fragments discarded when 
some timeout
occurs or when it is incomplete ? - based on spp_defrag.c )

When i do a make I see spp_defrag.o and spp_frag2.o being linked to get 
snort ?
I guess, spp_frag2 is the latest of the two and is by default chosen.

Can anyone give some info about when spp_defrag will be used ?


Thanks a lot,
Ashley






More information about the Snort-devel mailing list