[Snort-users] Frag3 target default setting
research at ...17107...
Sat Feb 28 16:18:44 EST 2015
I have noticed that in the default snort.conf file that ships with Snort 188.8.131.52, the frag3 preprocessor’s setting for “policy” is “windows:
preprocessor frag3_engine: policy windows detect_anomalies overlap_limit 10 min_fragment_length 100 timeout 180
Based on the latest Snort manual, I note the following about target based assembly:
"The basic idea behind target-based IDS is that we tell the IDS information about hosts on the network so that it can
avoid Ptacek & Newsham style evasion attacks based on information about how an individual target IP stack operates.”
In my case, I am using Snort in passive mode on a web server based on Linux. The target that I am protecting is not a network,
but a single Linux host.
In this case, should I not change the policy to linux, as in:
preprocessor frag3_engine: policy linux detect_anomalies overlap_limit 10 min_fragment_length 100 timeout 180
…or am I a) incorrect or b) the differences are minimal ?
More information about the Snort-users