[Snort-devel] Query on processor(frag2)

Dirk Geschke Dirk at ...972...
Wed Jan 14 13:44:01 EST 2004


Hi Fred,

>   I have one question on processors(frag2). 
>   As I know, frag2 can rebuild each packet from the
> pieces and passes the full packet through for
> detection once the the process is done,right?
>   However, where did snort rebuild the packets? in
> memory? or in harddisk? 
>   If it rebuild in memory, then will the memory be
> crash? If it rebuild in harddisk, then will it be
> attacked?

it will store all fragments in memory, writing them
to disk won't really work very well...

Yes, if the machine or snort crashes this is lost.
But if the machine or snort is back then there is
a high propability that the missing fragments are
already send to the recipient. So restoring them
from a disk won't be helpful this way.

Best regards

Dirk





More information about the Snort-devel mailing list