[Snort-users] Frag3 timeout ignored
wkitty42 at ...14940...
Sun Sep 2 16:32:30 EDT 2012
On 9/2/2012 03:20, Emeka Agu wrote:
> So sorry, it was early in the morning and I wasn't fully functioning!
yeah... for me, too... actually the end of a very long day... thus i typed
stream3 when i meant frag3 :/
> In snort I set the timeout for fragments as 30seconds. I know Windows has a 60
> second fragment timeout. Using scapy I fragment a packet into two (Wireshark
> sees the seperation as an IP fragment).
> I send the first fragment straight away, wait 45 seconds then send the next,
> thinking the original fragment will be dropped from Snort's buffer but kept by
> the OS buffer, but Snort STILL notices it reassembles the file and alerts me to
> the content.
ahhh... ok... i understand better now ;)
> As for version, it us the default one on Backtrack 5R2, how can I tell the
that must be a capital 'V'...
> My Frag3 line is:
> preprocessor frag3_engine: policy first detect_anomalies timeout 30
> I notice that I can set the Stream5 timeout to a value too, so maybe I will set that to 30 seconds and see
you caught my mistake :) good that you looked there... that might be where you
need to make that setting for what you are trying to do :)
> On 2 September 2012 06:19, waldo kitty <wkitty42 at ...14940...
> <mailto:wkitty42 at ...14940...>> wrote:
> On 9/1/2012 22:36, Gmail Personal wrote:
> > Hi guys, my Frag3 timeout of 30 seconds is ignored when I'm doing some
> > with Scapy
> > Is it as simple as putting "timeout 30" in the Frag engine options?
> you need to explain a bit more details... what do you mean that the timeout is
> not working?
> are you expecting that snort will timeout on the stream after 30 seconds or
> what version of snort are you running?
> what, exactly, does your stream3 config line look like??
> FWIW: all of our crystal balls are in the repair shop due to failures in reading
> what others are trying to depict with their reports... we only have what
> you/they can accurately explain to us to work with... "it isn't working" is like
> saying the "car won't start" and no one can tell if the battery is dead or the
> gas is watered down...
> so help us to help you... give us as much detail as you can that is specific to
> the problem you are having ;)
More information about the Snort-users