[Snort-devel] tought it would have been implemented

Eric Lauzon eric.lauzon at ...1967...
Mon Jun 27 06:31:36 EDT 2005


Mainly the issue i have seen is when snort received
a fragmented IP packets (encapsulated udp) 
i will never reassemble the fragments and inspect the udp packet.

Normal behavior?


I was in the process of designing a preprocessor.

-elz

 

> -----Original Message-----
> From: Martin Roesch [mailto:roesch at ...402...] 
> Sent: 27 juin 2005 00:33
> To: Eric Lauzon
> Cc: snort-devel at lists.sourceforge.net
> Subject: Re: [Snort-devel] tought it would have been implemented
> 
> There's not enough information to really tell what you're 
> complaining about here.  Are you referring to the IP 
> defragmenter and if so, are you talking about frag2 or frag3? 
>  If you're talking about some other type of "UDP 
> fragmentation" could you be more specific?  Care to read the 
> BUGS file and submit a proper report?
> 
>        -Marty
> 
> On Jun 20, 2005, at 4:48 PM, Eric Lauzon wrote:
> 
> > Nice to see that snort is still vulnerable to udp fragmentation.
> >
> > I had in mind that it has been corrected in 2.X but it seem 
> as if its 
> > blind as a grand grand mother when udp is fragmented, then it will 
> > likely discard,drop without inspection since the nice 
> fragments will 
> > timeout.
> >
> > So all rules for udp need to be re-writen for udp fragmentation ;)
> >
> > -elz
> >
> >
> >
> > -------------------------------------------------------
> > SF.Net email is sponsored by: Discover Easy Linux Migration 
> Strategies 
> > from IBM. Find simple to follow Roadmaps, straightforward articles, 
> > informative Webcasts and more! Get everything you need to get up to 
> > speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-devel
> >
> >
> 
> --
> Martin Roesch - Founder/CTO, Sourcefire Inc. - 
> +1-410-290-1616 Sourcefire - Network Defense for the Real 
> World - http:// www.sourcefire.com
> Snort: Open Source Intrusion Detection and Prevention - 
> http:// www.snort.org
> 
> 
> 
> 




More information about the Snort-devel mailing list