[Snort-users] overlapping fragments

Ashley Thomas athomas at ...3539...
Tue May 21 15:45:03 EDT 2002


Overlapping fragments is known to be a misbehaviour. right ?
So does the IDS need to 'try' to reassemble that set of fragments
or just give an alert ??

What should be the ideal behaviour ?

I think RFC does'nt restrict fragments to be non-overlapping...

any pointers/ideas.


More information about the Snort-users mailing list