Security Incidents mailing list archives
Re: streams of fragments...
From: Burak DAYIOGLU <dayioglu () metu edu tr>
Date: Wed, 18 Jul 2001 15:20:46 +0300
Russell Fulton wrote:
For some time now snort has been logging 'Tiny Fragments' coming from several different addresses. Here is a sample: Packet 1 TIME: 10:04:55.405457 LINK: 00:00:0C:46:5C:D1 -> 00:E0:1E:8E:31:71 type=IP IP: 62.32.156.41 -> 130.216.112.2 hlen=20 TOS=48 dgramlen=20 id=5D09 MF/DF=1/1 frag=0 TTL=98 proto=TCP cksum=CE6E TCP: port 0 -> 0 seq=0000000000 ack=0000000000 hlen=0 (data=0) UAPRSF=000000 wnd=28 cksum=50A9 urg=59666 DATA: <No data> --------------------------------------------------------------------------- Packet 2 TIME: 10:04:55.481006 (0.075549) LINK: 00:00:0C:46:5C:D1 -> 00:E0:1E:8E:31:71 type=IP IP: 62.32.156.41 -> 130.216.112.2 hlen=20 TOS=48 dgramlen=20 id=5D12 MF/DF=1/1 frag=0 TTL=98 proto=TCP cksum=CE65 TCP: port 0 -> 0 seq=0000000000 ack=0000000000 hlen=0 (data=0) UAPRSF=000000 wnd=28 cksum=0F59 urg=30577 DATA: <No data> Note More Fragments and Don't fragment are both set to 1?? The packets arrive in pairs, both to the same destination address.
Might it be hping running in two-fragments mode? hping data portions are small; when split into two, it will be tiny. Busy now so cannot verify with a sniffer trace; sorry. regards, -bd ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- streams of fragments... Russell Fulton (Jul 17)
- Re: streams of fragments... Gamble (Jul 18)
- Re: streams of fragments... Jose Nazario (Jul 18)
- Re: streams of fragments... Dug Song (Jul 18)
- Re: streams of fragments... Russell Fulton (Jul 18)
- Re: streams of fragments... Jose Nazario (Jul 18)
- Re: streams of fragments... Burak DAYIOGLU (Jul 18)
- <Possible follow-ups>
- RE: streams of fragments... Portnoy, Gary (Jul 18)
- RE: streams of fragments... Rich Ostergard (Jul 18)
- Re: streams of fragments... Gamble (Jul 18)