[Snort-devel] tought it would have been implemented
eric.lauzon at ...1967...
Mon Jun 27 06:31:36 EDT 2005
Mainly the issue i have seen is when snort received
a fragmented IP packets (encapsulated udp)
i will never reassemble the fragments and inspect the udp packet.
I was in the process of designing a preprocessor.
> -----Original Message-----
> From: Martin Roesch [mailto:roesch at ...402...]
> Sent: 27 juin 2005 00:33
> To: Eric Lauzon
> Cc: snort-devel at lists.sourceforge.net
> Subject: Re: [Snort-devel] tought it would have been implemented
> There's not enough information to really tell what you're
> complaining about here. Are you referring to the IP
> defragmenter and if so, are you talking about frag2 or frag3?
> If you're talking about some other type of "UDP
> fragmentation" could you be more specific? Care to read the
> BUGS file and submit a proper report?
> On Jun 20, 2005, at 4:48 PM, Eric Lauzon wrote:
> > Nice to see that snort is still vulnerable to udp fragmentation.
> > I had in mind that it has been corrected in 2.X but it seem
> as if its
> > blind as a grand grand mother when udp is fragmented, then it will
> > likely discard,drop without inspection since the nice
> fragments will
> > timeout.
> > So all rules for udp need to be re-writen for udp fragmentation ;)
> > -elz
> > -------------------------------------------------------
> > SF.Net email is sponsored by: Discover Easy Linux Migration
> > from IBM. Find simple to follow Roadmaps, straightforward articles,
> > informative Webcasts and more! Get everything you need to get up to
> > speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
> > _______________________________________________
> > Snort-devel mailing list
> > Snort-devel at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/snort-devel
> Martin Roesch - Founder/CTO, Sourcefire Inc. -
> +1-410-290-1616 Sourcefire - Network Defense for the Real
> World - http:// www.sourcefire.com
> Snort: Open Source Intrusion Detection and Prevention -
> http:// www.snort.org
More information about the Snort-devel