vern at icir.org
Thu Feb 7 23:46:59 PST 2002
> How long does Bro keep ip-fragments ?
This isn't great - clearly there should be a user-controllable timeout.
However, if you set the timeout too low, then you become vulnerable to an
evasion attack. It's not clear what's a safe timeout value (some stacks
might use a fixed-size buffer, say, and ignore implementing a timer at
all). A project I'm working on with a student (Umesh Shankar) may wind
up assessing this further.
If someone wants to add a user-controllable timeout, that would be great.
More information about the Bro