[Snort-users] Reassembled packets from Frag3 and Stream5

Matt Olney molney at ...1935...
Tue Oct 14 09:00:05 EDT 2008


The reassembled packets are identical to the combined payloads of the
packets that are reassembled.  Snort reinjects the reassembled packets
(pseudopackets) at the decoder level and detection is run against the
reassembled packets.  While this does indeed add load to the system, this
cost is entirely acceptable given the decrease in trivial evasion
possibilies and is more than offset by the by performance increase that is
gained by handling flows with an understanding of the stream state.

Matt

On Tue, Oct 14, 2008 at 4:42 AM, Rayne <hjazz6 at ...14432...> wrote:

> Hi all,
>
> I know that Frag3 reassembles IP fragments, and Stream5 reassembles TCP
> fragments. So are the reassembled packets identical, i.e. in terms of
> payload? And wouldn't this increase the volume of traffic passed into the
> detection engine and cause it to run slower, since there are now more
> packets to check against the rules?
>
> Thank you.
>
> Regards,
> Rayne
>
>
> -------------------------------------------------------------------------
> This SF.Net email is sponsored by the Moblin Your Move Developer's
> challenge
> Build the coolest Linux based applications with Moblin SDK & win great
> prizes
> Grand prize is a trip for two to an Open Source event anywhere in the world
> http://moblin-contest.org/redirect.php?banner_id=100&url=/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-usersSnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20081014/81a1a376/attachment.html>


More information about the Snort-users mailing list