Home page logo
/

snort logo Snort mailing list archives

Re: snort DCE/RPC reassemble_threshold
From: Ryan Jordan <ryan.jordan () sourcefire com>
Date: Tue, 21 Dec 2010 12:45:15 -0500

README.dcerpc still has a version in 2.8.6.1 because DCE/RPC wasn't
removed until 2.9.0.

On Tue, Dec 21, 2010 at 12:24 PM, Lawrence R. Hughes, Sr.
<lhughes () safemedia com> wrote:
Ryan,

Thanks, I did find the README.DECRPC2 after I sent the message.
My question is why if DCE/RPC was depreciated in snort 2.8.6.1
The README.DECRPC has a version for 2.8.6.1 listed here:
http://cvs.snort.org/viewcvs.cgi/snort/doc/Attic/README.dcerpc?logsort=date&search=None&hideattic=1&sortby=file&hidecvsroot=1&diff_format=h

Thanks,
Larry

----- Original Message ----- From: "Ryan Jordan"
<ryan.jordan () sourcefire com>
To: "Lawrence R. Hughes, Sr." <lhughes () safemedia com>
Cc: <snort-users () lists sourceforge net>
Sent: Tuesday, December 21, 2010 12:14 PM
Subject: Re: [Snort-users] snort DCE/RPC reassemble_threshold


Hi Larry,

The README.dcerpc that you linked was tied to the old dcerpc
preprocessor, which we removed in Snort 2.9.0. We replaced it with
dcerpc2 a couple years ago, whose README you can find here:
http://cvs.snort.org/viewcvs.cgi/snort/doc/README.dcerpc2

From the README:

  reassemble_threshold
      Specifies a minimum number of bytes in the DCE/RPC desegmentation and
      defragmentation buffers before creating a reassembly packet to send to
      the detection engine. This option is useful in inline mode so as to
      potentially catch an exploit early before full defragmentation is
done.
      A value of 0 supplied as an argument to this option will, in effect,
      disable this option.  Default is disabled.

-Ryan

On Tue, Dec 21, 2010 at 12:04 PM, Lawrence R. Hughes, Sr.
<lhughes () safemedia com> wrote:

Hi,

The default snort.conf file has:

preprocessor dcerpc2: reassemble_threshold

yet when looking at the snort manul reassemble_threshold is never
mentioned
also the README.dcerpc does not mention it.

What is it and what does it do?

Thanks,
Larry


------------------------------------------------------------------------------
Forrester recently released a report on the Return on Investment (ROI) of
Google Apps. They found a 300% ROI, 38%-56% cost savings, and break-even
within 7 months. Over 3 million businesses have gone Google with Google
Apps:
an online email calendar, and document program that's accessible from your
browser. Read the Forrester report: http://p.sf.net/sfu/googleapps-sfnew
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users




------------------------------------------------------------------------------
Forrester recently released a report on the Return on Investment (ROI) of
Google Apps. They found a 300% ROI, 38%-56% cost savings, and break-even
within 7 months.  Over 3 million businesses have gone Google with Google Apps:
an online email calendar, and document program that's accessible from your 
browser. Read the Forrester report: http://p.sf.net/sfu/googleapps-sfnew
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]