[Snort-users] frag3_engine policy in heterogeneous env.

chris ryan chris.ryan at ...348...
Wed Jun 25 08:32:34 EDT 2008


Hi,

as far as i understand, the policies "emulate" the target host OS
defragmentation to avoid an evasion of the ids.

For now, we have a very heterogeneous environment and cannot map the
subnets to specific operating systems. In effect, the "bind-to" combined
with "policy xyz" is not applicable.

So, my guess is, i've to use one frag3_engine policy for all the traffic
(with possible evasion side effect to ids). The default engine is "BSD".

Is "BSD" a good choice for such a heterogeneous environment?


Thanks in advance, Chris.




More information about the Snort-users mailing list