[Snort-devel] Query on processor(frag2)

Martin Roesch roesch at ...402...
Sat Jan 17 12:23:02 EST 2004

Snort stores the fragments in memory and reassembles them into a packet 
buffer that is generated at reassembly time.  The frag2 preprocessor 
uses a memory cap to indicate the maximum amount of memory that the 
entire preprocessor can use, this is configured in the snort.conf file. 
  If the memcap is hit, the preprocessors uses a number of strategies to 
make sure that memory isn't exhausted and that the packet cleared is 
not predictable by any attackers.


On Jan 14, 2004, at 5:14 AM, WAN FAT WU wrote:

> Dear friends,
>   I have one question on processors(frag2).
>   As I know, frag2 can rebuild each packet from the
> pieces and passes the full packet through for
> detection once the the process is done,right?
>   However, where did snort rebuild the packets? in
> memory? or in harddisk?
>   If it rebuild in memory, then will the memory be
> crash? If it rebuild in harddisk, then will it be
> attacked?
> Happy New Year!
> Fred
> _________________________________________________________
> Shining Friends、好心好?蟆??q月如歌...
> 浪漫????  情心?B?M
> http://ringtone.yahoo.com.hk/
> -------------------------------------------------------
> This SF.net email is sponsored by: Perforce Software.
> Perforce is the Fast Software Configuration Management System offering
> advanced branching capabilities and atomic changes on 50+ platforms.
> Free Eval! http://www.perforce.com/perforce/loadprog.html
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

More information about the Snort-devel mailing list