Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: preprocessor normalize_tcp: ips

From: Jason Wallace <jason.r.wallace () gmail com>
Date: Tue, 10 Jan 2012 09:06:06 -0500
So is it safe to say that this option should not be used in an
environment with a large number of host OSs that use a different
reassembly method?

On Mon, Jan 9, 2012 at 4:31 PM, Russ Combs <rcombs () sourcefire com> wrote:



On Mon, Jan 9, 2012 at 12:18 PM, Jason Wallace <jason.r.wallace () gmail com>
wrote:


Howdy,

The manual states that if you set "preprocessor normalize_tcp: ips"
that the ips option "ensure consistency in retransmitted data (also
forces reassembly policy to "first"). Any segments that can't be
properly reassembled will be dropped." Is this for streams or
fragments?



Streams only.



Also, How does this affect later settings for stream5 and
frag3?  Does it make host specific settings irrelevant?



It only overrides the reassembly policy.



Thx,
Wally


------------------------------------------------------------------------------
Ridiculously easy VDI. With Citrix VDI-in-a-Box, you don't need a complex
infrastructure or vast IT resources to deliver seamless, secure access to
virtual desktops. With this all-in-one solution, easily deploy virtual
desktops for less than the cost of PCs and save 60% on VDI infrastructure
costs. Try it free! http://p.sf.net/sfu/Citrix-VDIinabox
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort
news!





------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: