[Snort-devel] Packet Flags and preprocessors.....
cmg at ...402...
Wed May 7 05:24:02 EDT 2003
"Stefan Bauer" <mail at ...1970...> writes:
> Now I'd like to get all packets that are not
> defragmented. How can I see this in snort? The spp_frag2 sets the
> defrag_packet->packet_flags explicit to PKT_REBUILT_FRAG and sent it
> to the ProcessPacket(). First action here is setting these flags to
> zero. Is this normal?
It's normal but I don't think anyone has needed to do that since the
standard way has been to ignore fragmented traffic :)
At the start of ProcessPacket, add a check to see if the flags are
rebuilt and leave the flags alone and the normal mechanism should work
Chris Green <cmg at ...402...>
To err is human, to moo bovine.
More information about the Snort-devel