[Snort-devel] Frag3 in CVS HEAD
roesch at ...402...
Fri Oct 8 10:03:08 EDT 2004
I tried posting this message a few days ago but Sourceforge appears to
have eaten it, let's try again.
A new IP defragmentation preprocessor, Frag3, was checked into CVS HEAD
yesterday and is available for testing. Please consider this code
EXPERIMENTAL at this time, I've done a good deal of testing on it to
date but only on x86 and G4/G5 machines.
Frag3 is a new IP defrag subsystem for Snort that has the following
features/improvements over frag2:
* Target-based fragment reassembly (anti-evasion)
* User selectable memory management system (memcap or preallocated)
* Uses hash tables/linked lists instead of splay trees (much faster
* 8 anomaly detection modes
* Improved fragment timeout handling
Portions of frag3 are based loosely on the linux IP defragmentation
mechanism and frag2's implementation, but in large part the code is all
new. I'd like to thank Vern Paxson and Umesh Shankar for their
excellent paper that defined the framework for the target-based
mechanisms that I have included in frag3. Check it out at
http://www.icir.org/vern/papers/activemap-oak03.pdf if you're
interested in seeing some really important basic network security
research that was necessary to build these target-based systems that
I've been ranting about for the last four years.
Docs for the module are available in the doc directory, check out the
README.frag3 file for more info and background, as well as the
snort.conf file for basic "up and running" information.
As I said, frag3 is considered *experimental* at this point. I've hit
it with some pretty serious test cases but it doesn't have a lot of
time on real networks or non-linux/OS X platforms at this point. If
you're feeling adventurous please download HEAD and check it out! If
you find any bugs please let me know and I'll work to address them as
quickly as possible.
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover. Determine. Defend.
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
More information about the Snort-devel