[Snort-devel] frag2

From: Dorin H. <piggysnort_2004(at)yahoo.com>
Date: Tue Mar 23 2004 - 18:40:21 EST

Hi,
  I have a question related to the way the IP fragments are handled in Snort2. As I see in the preprocessor code(spp_frag2), unless an exceptional situation occur, the original Packet containing the fragment is send through the rest of the processing chain (do_detect remains set).
  Why this is necessary? I understand that, otherwise, some of the fragments could be dropped while kept in frag-trees due to overlaps or timeouts, but could we avoid this duplicate processing (once for fragment, once for reconstructed IP)? Did I get it wrong? Any thoughts, ideas, comments? TIA,
/Dorin.

---

Do you Yahoo!?
Yahoo! Finance Tax Center - File online. File on time. http://taxes.yahoo.com/filing.html

---

This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470&alloc_id=3638&op=click

---

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Tue Mar 23 18:52:31 2004