[Snort-users] Frag3 target default setting

Research research at ...17107...
Sat Feb 28 16:34:41 EST 2015


On Feb 28, 2015, at 4:30 PM, Joel Esler (jesler) <jesler at ...589...> wrote:

> Yes, you should.
> 
> 
>> On Feb 28, 2015, at 4:18 PM, Research <research at ...17107...> wrote:
>> 
>> Hi,
>> 
>> I have noticed that in the default snort.conf file that ships with Snort 2.9.7.0, the frag3 preprocessor’s setting for “policy” is “windows:
>> 
>> 	preprocessor frag3_engine: policy windows detect_anomalies overlap_limit 10 min_fragment_length 100 timeout 180
>> 
>> Based on the latest Snort manual, I note the following about target based assembly:
>> 
>> 	"The basic idea behind target-based IDS is that we tell the IDS information about hosts on the network so that it can 
>> 	avoid Ptacek & Newsham style evasion attacks based on information about how an individual target IP stack operates.”
>> 
>> In my case, I am using Snort in passive mode on a web server based on Linux.  The target that I am protecting is not a network,
>> but a single Linux host.
>> 
>> In this case, should I not change the policy to linux, as in:
>> 
>> 	preprocessor frag3_engine: policy linux detect_anomalies overlap_limit 10 min_fragment_length 100 timeout 180
>> 
>> …or am I a) incorrect or b) the differences are minimal ?
>> 
>> Thanks

Excellent; thank you.



More information about the Snort-users mailing list