[Snort-users] Frag3 target default setting

Joel Esler (jesler) jesler at ...589...
Sat Feb 28 16:30:46 EST 2015

Yes, you should.

> On Feb 28, 2015, at 4:18 PM, Research <research at ...17107...> wrote:
> Hi,
> I have noticed that in the default snort.conf file that ships with Snort, the frag3 preprocessor’s setting for “policy” is “windows:
> 	preprocessor frag3_engine: policy windows detect_anomalies overlap_limit 10 min_fragment_length 100 timeout 180
> Based on the latest Snort manual, I note the following about target based assembly:
> 	"The basic idea behind target-based IDS is that we tell the IDS information about hosts on the network so that it can 
> 	avoid Ptacek & Newsham style evasion attacks based on information about how an individual target IP stack operates.”
> In my case, I am using Snort in passive mode on a web server based on Linux.  The target that I am protecting is not a network,
> but a single Linux host.
> In this case, should I not change the policy to linux, as in:
> 	preprocessor frag3_engine: policy linux detect_anomalies overlap_limit 10 min_fragment_length 100 timeout 180
> …or am I a) incorrect or b) the differences are minimal ?
> Thanks
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the 
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

More information about the Snort-users mailing list