[Snort-users] defragmentation issue

Nouar Ismail nouaresmail at ...11827...
Wed Dec 21 12:19:54 EST 2016

I have pcap file of 450 icmp fragmented packets.
when i pass it to snort with only icmp rules ..i get no alerts. when i add
an ip rule i get exactly 450 alerts.
i set up the frag3_global: memcap 67108864, max_frags 131072
frag3_engine: : policy last detect_anomalies
does anybody have any idea of what is the problem ?!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20161221/e81d8bbd/attachment.html>

More information about the Snort-users mailing list