[Snort-devel] Packet Flags and preprocessors.....

Chris Green cmg at ...402...
Wed May 7 05:24:02 EDT 2003


"Stefan Bauer" <mail at ...1970...> writes:

> Now I'd like to get all packets that are not
> defragmented. How can I see this in snort?  The spp_frag2 sets the
> defrag_packet->packet_flags explicit to PKT_REBUILT_FRAG and sent it
> to the ProcessPacket(). First action here is setting these flags to
> zero. Is this normal? 

It's normal but I don't think anyone has needed to do that since the
standard way has been to ignore fragmented traffic :)

At the start of ProcessPacket, add a check to see if the flags are
rebuilt and leave the flags alone and the normal mechanism should work
fine.
-- 
Chris Green <cmg at ...402...>
To err is human, to moo bovine.




More information about the Snort-devel mailing list