[Snort-devel] Frag3 in CVS HEAD

Martin Roesch roesch at ...402...
Fri Oct 8 10:03:08 EDT 2004


Hi all,

I tried posting this message a few days ago but Sourceforge appears to 
have eaten it, let's try again.

A new IP defragmentation preprocessor, Frag3, was checked into CVS HEAD 
yesterday and is available for testing.  Please consider this code 
EXPERIMENTAL at this time, I've done a good deal of testing on it to 
date but only on x86 and G4/G5 machines.

Frag3 is a new IP defrag subsystem for Snort that has the following 
features/improvements over frag2:

* Target-based fragment reassembly (anti-evasion)
* User selectable memory management system (memcap or preallocated)
* Uses hash tables/linked lists instead of splay trees (much faster 
than frag2)
* 8 anomaly detection modes
* Improved fragment timeout handling

Portions of frag3 are based loosely on the linux IP defragmentation 
mechanism and frag2's implementation, but in large part the code is all 
new.  I'd like to thank Vern Paxson and Umesh Shankar for their 
excellent paper that defined the framework for the target-based 
mechanisms that I have included in frag3.  Check it out at 
http://www.icir.org/vern/papers/activemap-oak03.pdf if you're 
interested in seeing some really important basic network security 
research that was necessary to build these target-based systems that 
I've been ranting about for the last four years.

Docs for the module are available in the doc directory, check out the 
README.frag3 file for more info and background, as well as the 
snort.conf file for basic "up and running" information.

As I said, frag3 is considered *experimental* at this point.  I've hit 
it with some pretty serious test cases but it doesn't have a lot of 
time on real networks or non-linux/OS X platforms at this point.  If 
you're feeling adventurous please download HEAD and check it out!  If 
you find any bugs please let me know and I'll work to address them as 
quickly as possible.

      -Marty

-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover.  Determine.  Defend.
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-devel mailing list