[Snort-users] Frag3 target default setting
research at ...17107...
Sat Feb 28 16:34:41 EST 2015
On Feb 28, 2015, at 4:30 PM, Joel Esler (jesler) <jesler at ...589...> wrote:
> Yes, you should.
>> On Feb 28, 2015, at 4:18 PM, Research <research at ...17107...> wrote:
>> I have noticed that in the default snort.conf file that ships with Snort 126.96.36.199, the frag3 preprocessor’s setting for “policy” is “windows:
>> preprocessor frag3_engine: policy windows detect_anomalies overlap_limit 10 min_fragment_length 100 timeout 180
>> Based on the latest Snort manual, I note the following about target based assembly:
>> "The basic idea behind target-based IDS is that we tell the IDS information about hosts on the network so that it can
>> avoid Ptacek & Newsham style evasion attacks based on information about how an individual target IP stack operates.”
>> In my case, I am using Snort in passive mode on a web server based on Linux. The target that I am protecting is not a network,
>> but a single Linux host.
>> In this case, should I not change the policy to linux, as in:
>> preprocessor frag3_engine: policy linux detect_anomalies overlap_limit 10 min_fragment_length 100 timeout 180
>> …or am I a) incorrect or b) the differences are minimal ?
Excellent; thank you.
More information about the Snort-users