[Snort-users] Frag3 timeout ignored

waldo kitty wkitty42 at ...14940...
Sun Sep 2 16:32:30 EDT 2012


On 9/2/2012 03:20, Emeka Agu wrote:
> So sorry, it was early in the morning and I wasn't fully functioning!

yeah... for me, too... actually the end of a very long day... thus i typed 
stream3 when i meant frag3 :/

>
> Anyway
>
> In snort I set the timeout for fragments as 30seconds. I know Windows has a 60
> second fragment timeout. Using scapy I fragment a packet into two (Wireshark
> sees the seperation as an IP fragment).
>
> I send the first fragment straight away, wait 45 seconds then send the next,
> thinking the original fragment will be dropped from Snort's buffer but kept by
> the OS buffer, but Snort STILL notices it reassembles the file and alerts me to
> the content.

ahhh... ok... i understand better now ;)

>
> As for version, it us the default one on Backtrack 5R2, how can I tell the
> version?

snort -V

that must be a capital 'V'...

> My Frag3 line is:
>
> preprocessor frag3_engine: policy first detect_anomalies timeout 30

ok...

>
>
> I notice that I can set the Stream5 timeout to a value too, so maybe I will set that to 30 seconds and see

you caught my mistake :) good that you looked there... that might be where you 
need to make that setting for what you are trying to do :)

>
>
> On 2 September 2012 06:19, waldo kitty <wkitty42 at ...14940...
> <mailto:wkitty42 at ...14940...>> wrote:
>
>     On 9/1/2012 22:36, Gmail Personal wrote:
>      > Hi guys, my Frag3 timeout of 30 seconds is ignored when I'm doing some
>     testing
>      > with Scapy
>      >
>      > Is it as simple as putting "timeout 30" in the Frag engine options?
>
>     you need to explain a bit more details... what do you mean that the timeout is
>     not working?
>
>     are you expecting that snort will timeout on the stream after 30 seconds or
>     what??
>
>     what version of snort are you running?
>
>     what, exactly, does your stream3 config line look like??
>
>     FWIW: all of our crystal balls are in the repair shop due to failures in reading
>     what others are trying to depict with their reports... we only have what
>     you/they can accurately explain to us to work with... "it isn't working" is like
>     saying the "car won't start" and no one can tell if the battery is dead or the
>     gas is watered down...
>
>     so help us to help you... give us as much detail as you can that is specific to
>     the problem you are having ;)





More information about the Snort-users mailing list