[Snort-users] frag3 order question

Gentoo-Wally gentoowally at ...11827...
Wed Aug 23 10:52:35 EDT 2006


when using multipule frag3 rules does their order make a diffreence in
funtionality?

is...

preprocessor frag3_engine: policy first, detect_anomalies
preprocessor frag3_engine: policy bsd, bind_to [1.1.1.1]
preprocessor frag3_engine: policy linux, bind_to [1.1.1.3,1.1.1.4,1.1.1.5]

function that same as..

preprocessor frag3_engine: policy linux, bind_to [1.1.1.3,1.1.1.4,1.1.1.5]
preprocessor frag3_engine: policy bsd, bind_to [1.1.2.0/24]
preprocessor frag3_engine: policy first, detect_anomalies


I always thaught that eirlier ststements kind of acted as filters for
the final statement which is kind of a catch all for every thing not
previously defined, but I'm not sure if the actual order plays a part
in this. If ithe 'policy first' config is first in line will every
thing use that frag3?

Wally




More information about the Snort-users mailing list