[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-users
Subject:    Re: [snort] rules for jolt2?
From:       Dragos Ruiu <dr () dursec ! com>
Date:       2000-05-31 16:11:30
[Download RAW message or body]

On Wed, 31 May 2000, Martin Roesch wrote:
> Hi Erich,
>     Fragments don't go into the detection engine because they have
> incomplete transport layer data and would break things.  This may be the
> time to make a "frag-watch" preprocessor that can look for  specific
> things like this while we wait for Dragos to finish up the defrag
> preprocessor.  A frag-watch might be a good thing to do anyway, so that
> specific things like jolt2 could be picked up.  All the code to do this
> is already in the program, it's just a matter of wrapping it up into a
> nice package and putting it in place.
>      Dragos: what's the status today on the defrag stuff?  Could it be
> told to look for things like this, or just symptoms (orpahned frags,
> last frag arriving first, etc)?


The status today is that it seems to be functional on Solaris, and BSD but
doesn't work yet on Linux because of the different way it handles pcap headers.

I finished a version that should work on Linux last night and am testing it 
this afternoon after I finish some work stuff.

I have hooks in it for bum fragment checking, but no specfic alerts
other than mis-sized end fragments.  I silently delete orphans now
but this behaviour can be changed. My question is on how the
preprocessor options should turn the alarming on and off.  I'll
try to propose something.

I also agree with a frag-watch preprocessor.... that functionality could
easily be integrated into my code or could be standalone.  If people
want it I'll integrate a jolt2 style "errant end frag" alerts this aft when I
get back to the defragger.

Given that the defragger is at least partially functional (and may even
be fully functional by this aft).  I think a release today should be 
a good idea.

--dr

-- 
dursec.com ltd. / kyx.net - we're from the future    http://www.dursec.com

[prev in list] [next in list] [prev in thread] [next in thread]