[Snort-users] Frag3 timeout ignored

Emeka Agu mainmen1985 at ...11827...
Sun Sep 2 03:20:54 EDT 2012


So sorry, it was early in the morning and I wasn't fully functioning!

Anyway

In snort I set the timeout for fragments as 30seconds. I know Windows has a
60 second fragment timeout. Using scapy I fragment a packet into two
(Wireshark sees the seperation as an IP fragment).

I send the first fragment straight away, wait 45 seconds then send the
next, thinking the original fragment will be dropped from Snort's buffer
but kept by the OS buffer, but Snort STILL notices it reassembles the file
and alerts me to the content.

As for version, it us the default one on Backtrack 5R2, how can I tell the
version? My Frag3 line is:

preprocessor frag3_engine: policy first detect_anomalies timeout 30


I notice that I can set the Stream5 timeout to a value too, so maybe I
will set that to 30 seconds and see


On 2 September 2012 06:19, waldo kitty <wkitty42 at ...14940...> wrote:

> On 9/1/2012 22:36, Gmail Personal wrote:
> > Hi guys, my Frag3 timeout of 30 seconds is ignored when I'm doing some
> testing
> > with Scapy
> >
> > Is it as simple as putting "timeout 30" in the Frag engine options?
>
> you need to explain a bit more details... what do you mean that the
> timeout is
> not working?
>
> are you expecting that snort will timeout on the stream after 30 seconds
> or what??
>
> what version of snort are you running?
>
> what, exactly, does your stream3 config line look like??
>
> FWIW: all of our crystal balls are in the repair shop due to failures in
> reading
> what others are trying to depict with their reports... we only have what
> you/they can accurately explain to us to work with... "it isn't working"
> is like
> saying the "car won't start" and no one can tell if the battery is dead or
> the
> gas is watered down...
>
> so help us to help you... give us as much detail as you can that is
> specific to
> the problem you are having ;)
>
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20120902/223c9951/attachment.html>


More information about the Snort-users mailing list