frag3 preprocessor is a target-based analysis.
The term “target-based” is to identify an intelligent IDS that is informed about hosts residing on the network and is capable of analyzing traffic sent to those hosts as the host itself analyzes the traffic.
It improve the accuracy of the IDS.
for example:
How to use frag3 preprocessor in snort.conf?
like:
preprocessor frag3_engine: policy first, bind_to 10.4.10.0/24
Now any overlapping fragments that Snort sees destined for subnet 10.4.1.x are reassembled using the “first”
fragmentation policy, so that Snort reassembles fragments destined to those hosts in precisely the same way as the
Windows hosts themselves.
没有评论:
发表评论