[Oisf-devel] Suggestions about feature #447

giuseppe at securitymind.it giuseppe at securitymind.it
Wed Jan 16 14:29:38 UTC 2013


On Wed, 16 Jan 2013 13:27:07 +0100, Victor Julien <victor at inliniac.net>
wrote:
> On 01/16/2013 10:25 AM, giuseppe at securitymind.it wrote:
>> On Tue, 15 Jan 2013 18:14:56 +0100, Victor Julien <victor at inliniac.net>
>> wrote:
>>> (please keep this on list)
>>>
>>> On 01/15/2013 06:10 PM, giuseppe at securitymind.it wrote:
>>>> On Tue, 15 Jan 2013 10:58:50 +0100, Victor Julien <victor at inliniac.net>
>>>> wrote:
>>>>> On 01/14/2013 09:03 PM, giuseppe at securitymind.it wrote:
>>>>>> Hi,
>>>>>> These past days I studied the code regarding defragmentation
>>>>>> to understand how it works and to implement the best features
>>>>>> discussed.
>>>>>>
>>>>>> If I understand correctly, in the function DefragContextNew, I have to
>>>>>> setup the correct ip frag timeout value
>>>>>> in the variabile timeout.
>>>>>>
>>>>>> The value to be used can be taken by the function DefragGetOsPolicy,
>>>>>> which according to the destination address returns me the OS type,
>>>>>> right?
>>>>>
>>>>> Sounds right :)
>>>>
>>>> This value (src/defrag.c, line 546):
>>>> tracker->timeout = p->ts.tv_sec + defrag_context->timeout;
>>>>
>>>> is regarding to ip fragmentation time out value?
>>>
>>> Yes, the timeout is reset for each packet.
>>
>> Well, then, the timeout value in DefragContextNew should match ip frag
>> timeout value of the OS that's running suricata
>> and then reset with the ip frag timeout value of the destination OS?
>>
> 
> The OS that is used by the box running Suricata isn't important.

timeout value in DefragContextNew should match to TIMEOUT_DEFAULT?

> What the timeout value should be set to is the destination OS' value.

When it's reset, timeout value must be:
tracker->timeout = Destination OS Value?
or
tracker->timeout = p->ts.tv_sec + defrag_context->timeout + Destination
OS Value; 
?

Thanks




More information about the Oisf-devel mailing list