[Snort-users] frag3: Fragmentation overlap

Paul Schmehl pauls at ...6838...
Mon Sep 25 14:12:59 EDT 2006


--On Monday, September 25, 2006 13:13:37 -0400 Joel Esler 
<joel.esler at ...1935...> wrote:

> Paul,
>
> Have you custom tuned your frag3 lines to reflect the targets behind
> your IDS?
>
Apparently not.

preprocessor frag3_global: max_frags 65536
preprocessor frag3_engine: policy first detect_anomalies \
                           ttl_limit 10

But the targets behind an edu IDS would be "all of the above".  :-)

Paul Schmehl (pauls at ...6838...)
Adjunct Information Security Officer
The University of Texas at Dallas
http://www.utdallas.edu/ir/security/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pkcs7-signature
Size: 4085 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20060925/57d61d6b/attachment.bin>


More information about the Snort-users mailing list