[Bro-Dev] ipv6 fragment reassembling
Robin Sommer
robin at icir.org
Fri Feb 24 11:03:26 PST 2012
On Thu, Feb 23, 2012 at 15:20 -0800, you wrote:
> Even with a "standard" way of handling overlaps the IDS has no way of
> knowing if the monitored systems actually implement the standard
> correctly.
Yeah, that's right. In particular given that this is a recent change.
What we could see is if overlapping fragements are rare enough that
it's worth alarming on.
Robin
--
Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL * Fax +1 (510) 666-2956 * www.icir.org
More information about the bro-dev
mailing list