[Snort-devel] Incomplete Packet Fragments Discarded
athomas at ...1383...
Wed Jan 29 19:22:04 EST 2003
I was trying to figure out when and how is this alert - Incomplete
Packet Fragments Discarded
generated. The alert 'Incomplete Packet Fragments Discarded' seem to be
from spp_defrag.c. For snort.1.8.6 version, or earlier which is the
reassembly module used by default ?
Also, the alert seems to be in ReassembleIP() function
and seems like the alert is triggered and fragments are discarded,
when the fragments are not complete. ( are the fragments discarded when
occurs or when it is incomplete ? - based on spp_defrag.c )
When i do a make I see spp_defrag.o and spp_frag2.o being linked to get
I guess, spp_frag2 is the latest of the two and is by default chosen.
Can anyone give some info about when spp_defrag will be used ?
Thanks a lot,
More information about the Snort-devel