[Snort-users] Re: snort sees no fragmented attack

Chris Green cmg at ...1935...
Mon Aug 12 05:43:05 EDT 2002


Holger.Woehle at ...2701... writes:

>> echo "GET /aaaaaaa/aaa/aaaaa/aaaaaaaa/aaaaaaa/bcc/bin/ps" | nc
>
> Hello, i forgot to tell you some Version numbers : I am using Snort
> 1.8.7 also tested it with 1.9 beta 2 and Linux 2.4.18 Intel Pentium
> 4 2GHZ 256 MByte RAM.  The Sensor listens behind a Shomiti Ethernet
> TAP.  May this be the problem ?  The Sensor only catches the
> "incoming" traffic. I do not want the answers from the machines.  Am
> i wrong with that ? Does snort neeed the outgoing traffic for defrag
> ?


Well, in 1.9 w/ a 1.9 ruleset, you should turn on

preprocessor stream4: asynchronous_link

you are running into the state machines actually caring about the
state of a TCP session which it can't ascertain w/o haivng both sides
of the conversation.

This is not related to fragmentation.
-- 
Chris Green <cmg at ...1935...>
A good pun is its own reword.




More information about the Snort-users mailing list