[Snort-devel] [PATCH]: Count discards in DecodeTCP (src/decode.c)

Joshua.Kinard at ...3108... Joshua.Kinard at ...3108...
Mon Aug 15 19:37:54 EDT 2011


From: Russ Combs [mailto:rcombs at ...402...] 

> Thanks Joshua.
>
> I'm thinking that case isn't a real discard due to the
> unsure-encapsulation, but I do see that it brings into
> question at least some of the UDP cases.
>
> We'll take a closer look and get back to you.

Okay, thanks Russ!  Please let me know the correct course of action.  I
am emulating this bit in the SCTP decoder I am working on and don't want
to emulate incorrect behavior.  I did notice that 2.9.0.5 is easily
confused by ESP packets, often misinterpreting them as other protocols.
2.9.1 fixes this, and I suspect it is this particular code block in each
of the Decode* functions.

Cheers,

--J




More information about the Snort-devel mailing list