[Snort-users] Frag3 target default setting

Research research at ...17107...
Sat Feb 28 16:18:44 EST 2015


Hi,

I have noticed that in the default snort.conf file that ships with Snort 2.9.7.0, the frag3 preprocessor’s setting for “policy” is “windows:

	preprocessor frag3_engine: policy windows detect_anomalies overlap_limit 10 min_fragment_length 100 timeout 180

Based on the latest Snort manual, I note the following about target based assembly:

	"The basic idea behind target-based IDS is that we tell the IDS information about hosts on the network so that it can 
	avoid Ptacek & Newsham style evasion attacks based on information about how an individual target IP stack operates.”

In my case, I am using Snort in passive mode on a web server based on Linux.  The target that I am protecting is not a network,
but a single Linux host.

In this case, should I not change the policy to linux, as in:

	preprocessor frag3_engine: policy linux detect_anomalies overlap_limit 10 min_fragment_length 100 timeout 180

…or am I a) incorrect or b) the differences are minimal ?

Thanks



More information about the Snort-users mailing list