[Snort-devel] Snort-Inline and droping Fragmanted attaques

Steven Sturges steve.sturges at ...402...
Sun Oct 1 22:05:50 EDT 2006


Hi James-

The Snort inline guys might have more details, but as far as
I know, the pieces of the fragmented data are forwarded as they
are received by Snort, however the one that completes the fragmented
data and causes Frag3 to push the reassembled version through the
rest of the preprocessors and rules should be blocked -- assuming
that the rule that it matched is a drop rule.

We do not buffer fragments and send them all out after the fragment
is completed -- that would be a lead to a DoS opportunity within
Snort.

Cheers.
-steve

James G wrote:
> Hi all,
>  
> My question is : Can Snort_inline Drop a fragmented attaque that has 
> been reassembled by Frag3? Or does it only génerate an alert on it?
>  
> I mean, does Frag 3 forward the fragments before therest of the systeme 
> analyses the reassembled paquet??
>  
> Regards,
> 
> ------------------------------------------------------------------------
> Windows Live Mail : venez tester la version bêta en exclusivité ! 
> <http://g.msn.com/8HMBFR/2746??PS=47575>
> 
> 
> ------------------------------------------------------------------------
> 
> -------------------------------------------------------------------------
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to share your
> opinions on IT & business topics through brief surveys -- and earn cash
> http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel





More information about the Snort-devel mailing list