Snort - the de facto standard for intrusion detection/prevention
the de facto standard in IPS  
Got Source? About Snort About Sourcefire Snort FAQ
Sourcefire Network Security - the creators of Snort
Snort News Snort Downloads Snort Rules Snort Docs Snort Training Snort Forums Snort Community Snort Store
Search Site
Search Rules
Account
email
password
not registered?
can't login?
user preferences
next up previous contents
Next: format Up: Frag3 Previous: Frag3   Contents

Frag 3 Configuration

Frag3 configuration is somewhat more complex than frag2. There are at least two preprocessor directives required to activate frag3, a global configuration directive and an engine instantiation. There can be an arbitrary number of engines defined at startup with their own configuration, but only one global configuration.

Global Configuration

  • Preprocessor name: frag3_global
  • Available options:
    • max_frags $<$number$>$ - Maximum simultaneous fragments to track. Default is 8192.
    • memcap $<$bytes$>$ - Memory cap for self preservation. Default is 4MB.
    • prealloc_frags $<$number$>$ - Alternate memory management mode. Use preallocated fragment nodes (faster in some situations).

Engine Configuration

  • Preprocessor name: frag3_engine
  • Available options:
    • timeout $<$seconds$>$ - Timeout for fragments. Fragments in the engine for longer than this period will be automatically dropped. Default is 60 seconds.

    • ttl_limit $<$hops$>$ - Max TTL delta acceptable for packets based on the first packet in the fragment. Default is 5.

    • min_ttl $<$value$>$ - Minimum acceptable TTL value for a fragment packet. Default is 1.

    • detect_anomalies - Detect fragment anomalies.

    • bind_to $<$ip_list$>$ - IP List to bind this engine to. This engine will only run for packets with destination addresses contained within the IP List. Default value is all.

    • policy $<$type$>$ - Select a target-based defragmentation mode. Available types are first, last, bsd, bsd-right, linux. Default type is bsd.

      The Paxson Active Mapping paper introduced the terminology frag3 is using to describe policy types. The known mappings are as follows. Anyone who develops more mappings and would like to add to this list please feel free to send us an email!

      Platform Type
      AIX 2 BSD
      AIX 4.3 8.9.3 BSD
      Cisco IOS Last
      FreeBSD BSD
      HP JetDirect (printer) BSD-right
      HP-UX B.10.20 BSD
      HP-UX 11.00 First
      IRIX 4.0.5F BSD
      IRIX 6.2 BSD
      IRIX 6.3 BSD
      IRIX64 6.4 BSD
      Linux 2.2.10 linux
      Linux 2.2.14-5.0 linux
      Linux 2.2.16-3 linux
      Linux 2.2.19-6.2.10smp linux
      Linux 2.4.7-10 linux
      Linux 2.4.9-31SGI 1.0.2smp linux
      Linux 2.4 (RedHat 7.1-7.3) linux
      MacOS (version unknown) First
      NCD Thin Clients BSD
      OpenBSD (version unknown) linux
      OpenBSD (version unknown) linux
      OpenVMS 7.1 BSD
      OS/2 (version unknown) BSD
      OSF1 V3.0 BSD
      OSF1 V3.2 BSD
      OSF1 V4.0,5.0,5.1 BSD
      SunOS 4.1.4 BSD
      SunOS 5.5.1,5.6,5.7,5.8 First
      Tru64 Unix V5.0A,V5.1 BSD
      Vax/VMS BSD
      Windows (95/98/NT4/W2K/XP) First

next up previous contents
Next: format Up: Frag3 Previous: Frag3   Contents
Steven Sturges 2007-05-11
site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved.