[Snort-devel] Query on processor(frag2)
roesch at ...402...
Sat Jan 17 12:23:02 EST 2004
Snort stores the fragments in memory and reassembles them into a packet
buffer that is generated at reassembly time. The frag2 preprocessor
uses a memory cap to indicate the maximum amount of memory that the
entire preprocessor can use, this is configured in the snort.conf file.
If the memcap is hit, the preprocessors uses a number of strategies to
make sure that memory isn't exhausted and that the packet cleared is
not predictable by any attackers.
On Jan 14, 2004, at 5:14 AM, WAN FAT WU wrote:
> Dear friends,
> I have one question on processors(frag2).
> As I know, frag2 can rebuild each packet from the
> pieces and passes the full packet through for
> detection once the the process is done,right?
> However, where did snort rebuild the packets? in
> memory? or in harddisk?
> If it rebuild in memory, then will the memory be
> crash? If it rebuild in harddisk, then will it be
> Happy New Year!
> Shining Friends、好心好?蟆??q月如歌...
> 浪漫???? 情心?B?M
> This SF.net email is sponsored by: Perforce Software.
> Perforce is the Fast Software Configuration Management System offering
> advanced branching capabilities and atomic changes on 50+ platforms.
> Free Eval! http://www.perforce.com/perforce/loadprog.html
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
More information about the Snort-devel