[Snort-devel] offset to fragment data (ip with options)
Vyacheslav V. Burdjanadze
wr at ...2861...
Thu Feb 16 03:01:07 EST 2006
While trying to tweak snort-2.4.3 sources I've found this -
fragStart = ((char *)p->iph + IP_HLEN(p->iph) * 4) +
Is it correct? Doesn't ip header length reflect options length?
It seems we may send fragmented packets with ip options inside to evade ids.
There are a few places with similar code.
More information about the Snort-devel