[Snort-users] out of order ip fragments and frag3

Joel Esler jesler at ...1935...
Thu Jan 14 13:29:39 EST 2010


Snort reassembles ip fragments based upon the operating system that frag3 is
configured to reassemble the ip packet stream for.

For instance, if I have two boxes,

One Solaris
One Windows

...and I have frag3 set up to monitor these ip's and reassemble fragments
going to these boxes as the end-host operating system would reassemble them,
then frag3 will take care of the out of order ip fragments based upon how
the OS would handle it.

All that being said, I encourage you to check out doc/README.frag3 and the
Snort Manual for further details on the configuration and operation of the
frag3 preprocessor.

J

On Thu, Jan 14, 2010 at 12:01 PM, <alessandrorguard-snortml at ...5849...> wrote:

> Hi all!!
> Does snort/frag3 manage out of order ip fragments?
> if yes, is there a way to configure it?
> if not, are them managed like non fragmented packet?
>
> Thanks!
> Alessandro
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> Throughout its 18-year history, RSA Conference consistently attracts the
> world's best and brightest in the field, creating opportunities for
> Conference
> attendees to learn about information security's most important issues
> through
> interactions with peers, luminaries and emerging and established companies.
> http://p.sf.net/sfu/rsaconf-dev2dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>



-- 
Joel Esler
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100114/ea572631/attachment.html>


More information about the Snort-users mailing list