RE: Please help me understand this alert output

["Hicks, John" <JHicks () JUSTICE GC CA>]

Snort FAQ: http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.7

GIAC GCIA - Fragmented Code Red:
http://cert.uni-stuttgart.de/archive/intrusions/2002/08/msg00246.html

HTH,
John Hicks

-----Original Message-----
From: Hanasaki JiJi [mailto:hanasaki () hanaden com]
Sent: Friday, November 29, 2002 12:41 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Please help me understand this alert output


Below is one of MANY alerts being loged on my internal network.  It is a 
very small network.  how can i find what is causing the bad traffice, 
and rectify it?

[**] [1:1322:4] BAD TRAFFIC bad frag bits [**]
[Classification: Misc activity] [Priority: 3]
11/29-11:38:11.405389 192.168.1.200 -> 192.168.1.1
UDP TTL:64 TOS:0x0 ID:12106 IpLen:20 DgmLen:1500 DF MF
Frag Offset: 0x0000   Frag Size: 0x05C8



-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T 
handheld. Power & Color in a compact size! 
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T 
handheld. Power & Color in a compact size! 
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users