[Snort-users] Re: snort sees no fragmented attack
cmg at ...1935...
Mon Aug 12 05:43:05 EDT 2002
Holger.Woehle at ...2701... writes:
>> echo "GET /aaaaaaa/aaa/aaaaa/aaaaaaaa/aaaaaaa/bcc/bin/ps" | nc
> Hello, i forgot to tell you some Version numbers : I am using Snort
> 1.8.7 also tested it with 1.9 beta 2 and Linux 2.4.18 Intel Pentium
> 4 2GHZ 256 MByte RAM. The Sensor listens behind a Shomiti Ethernet
> TAP. May this be the problem ? The Sensor only catches the
> "incoming" traffic. I do not want the answers from the machines. Am
> i wrong with that ? Does snort neeed the outgoing traffic for defrag
Well, in 1.9 w/ a 1.9 ruleset, you should turn on
preprocessor stream4: asynchronous_link
you are running into the state machines actually caring about the
state of a TCP session which it can't ascertain w/o haivng both sides
of the conversation.
This is not related to fragmentation.
Chris Green <cmg at ...1935...>
A good pun is its own reword.
More information about the Snort-users