[Bro-Dev] ipv6 fragment reassembling

Robin Sommer robin at icir.org
Fri Feb 24 11:03:26 PST 2012

On Thu, Feb 23, 2012 at 15:20 -0800, you wrote:

> Even with a "standard" way of handling overlaps the IDS has no way of 
> knowing if the monitored systems actually implement the standard 
> correctly.

Yeah, that's right. In particular given that this is a recent change.
What we could see is if overlapping fragements are rare enough that
it's worth alarming on.


Robin Sommer * Phone +1 (510) 722-6541 * robin at icir.org
ICSI/LBNL    * Fax   +1 (510) 666-2956 *   www.icir.org

More information about the bro-dev mailing list