Re: [Snort-devel] Content across multiple packets Not detected by Snort

From: Dennis George <easyeinfo(at)yahoo.com>
Date: Sat Apr 24 2004 - 02:49:55 EDT

Hi Abhijit,  

I am not talking about packet fragmentation. I will give you a scenario.... When you send a huge data.. the data cannot be sent in a single packet but in multiple packets.... thus if your key word is splitted in two packets then snort is not detecting it......  

frag2 is for fragmentation (a single packet splitted in many fragments)  

And Sorry I didn't find anything like tcp_reassemble in snort.... I searched the internet also.... Is it supported in Snort 2.1.0 ?????  

Thanks and Regards
Dennis

abhijit deodhar <abhideodhar@yahoo.co.in> wrote: Hello,
I have been working on Snort code for past 7-8 months. I think u r looking into the wrong preprocessor. Try out tcp_reassemble or frag2 preprocessor. Bcoz that handles the fragmentation of packets.

if it doesn.t work then in the decode.h you can see that snort appends ip fragmented packets to it's own structure packet. tru out that first. error will be surely there.

Bye
Abhijit

• Dennis George wrote: > Hi all,
  >
  > Intro :
  

  ---

Do you Yahoo!?
Yahoo! Photos: High-quality 4x6 digital prints for 25¢

---

This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg=12297

---

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Sat Apr 24 02:56:42 2004