[Snort-devel] tought it would have been implemented

Martin Roesch roesch at ...402...
Mon Jun 27 06:33:47 EDT 2005


Is this in frag2 or frag3?

On Jun 27, 2005, at 9:30 AM, Eric Lauzon wrote:

>
> Mainly the issue i have seen is when snort received
> a fragmented IP packets (encapsulated udp)
> i will never reassemble the fragments and inspect the udp packet.
>
> Normal behavior?
>
>
> I was in the process of designing a preprocessor.
>
> -elz
>
>
>
>
>> -----Original Message-----
>> From: Martin Roesch [mailto:roesch at ...402...]
>> Sent: 27 juin 2005 00:33
>> To: Eric Lauzon
>> Cc: snort-devel at lists.sourceforge.net
>> Subject: Re: [Snort-devel] tought it would have been implemented
>>
>> There's not enough information to really tell what you're
>> complaining about here.  Are you referring to the IP
>> defragmenter and if so, are you talking about frag2 or frag3?
>>  If you're talking about some other type of "UDP
>> fragmentation" could you be more specific?  Care to read the
>> BUGS file and submit a proper report?
>>
>>        -Marty
>>
>> On Jun 20, 2005, at 4:48 PM, Eric Lauzon wrote:
>>
>>
>>> Nice to see that snort is still vulnerable to udp fragmentation.
>>>
>>> I had in mind that it has been corrected in 2.X but it seem
>>>
>> as if its
>>
>>> blind as a grand grand mother when udp is fragmented, then it will
>>> likely discard,drop without inspection since the nice
>>>
>> fragments will
>>
>>> timeout.
>>>
>>> So all rules for udp need to be re-writen for udp fragmentation ;)
>>>
>>> -elz
>>>
>>>
>>>
>>> -------------------------------------------------------
>>> SF.Net email is sponsored by: Discover Easy Linux Migration
>>>
>> Strategies
>>
>>> from IBM. Find simple to follow Roadmaps, straightforward articles,
>>> informative Webcasts and more! Get everything you need to get up to
>>> speed, fast. http://ads.osdn.com/?ad_idt77&alloc_id492&op=click
>>> _______________________________________________
>>> Snort-devel mailing list
>>> Snort-devel at lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/snort-devel
>>>
>>>
>>>
>>
>> --
>> Martin Roesch - Founder/CTO, Sourcefire Inc. -
>> +1-410-290-1616 Sourcefire - Network Defense for the Real
>> World - http:// www.sourcefire.com
>> Snort: Open Source Intrusion Detection and Prevention -
>> http:// www.snort.org
>>
>>
>>
>>
>>
>
>

--  
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Network Defense for the Real World - http:// 
www.sourcefire.com
Snort: Open Source Intrusion Detection and Prevention - http:// 
www.snort.org







More information about the Snort-devel mailing list