Snort mailing list archives
Re: DF and MF
From: Jeff Nathan <jeff () snort org>
Date: Sat, 05 Apr 2003 13:56:43 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Clayton, Linux PMTU discovery will set DF on a packet with MF already set. It's anomalous but the Linux folks tend to disagree. Their current implementation disregards, specifically, the fact that certain protocols should not be subject to "optimizations " on behalf of PMTU discovery (namely NFS). It is by no means trivial to create a more intelligent PMTU discovery mechanism in Linux, nevertheless it should be done. Initially it was OpenBSD's packet filter (pf) that was making note of this anomalous behavior. The Linux folks sarcastically mentioned "These wierd BSD firewalls are the only systems blocking these packets...".[1] Applying the term blocking loosely, this is clearly not the case as Snort is the most widely deployed network intrusion detection technology on the planet and any well implemented defragmentation logic will consider this anomalous as well. [1] https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=58084 - -Jeff - --On Tuesday, April 01, 2003 00:20:19 -0800 Clayton Mascarenhas <masclaythesnort () yahoo com> wrote:
Dear list, The DF bit is set when we need to find the PMTU. However my Snort IDS is detecting packets to my network that have both the DF as well as the MF bit set. When does this scenario happen?? How useful would this be to an attacker? Could someone please help me out? Thanks __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - File online, calculators, forms, and more
- -- http://cerberus.sourcefire.com/~jeff (pgp key available) "Great spirits have always encountered violent opposition from mediocre minds." - - Albert Einstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (OpenBSD) iD8DBQE+j1EfEqr8+Gkj0/0RArbeAJ9H27kDPcqRL/yzYSmxsV/MVVpHoQCgnwVb 78+L/TRi0R4m1tbPDrbiNCA= =bO+7 -----END PGP SIGNATURE----- ------------------------------------------------------- This SF.net email is sponsored by: ValueWeb: Dedicated Hosting for just $79/mo with 500 GB of bandwidth! No other company gives more support or power for your dedicated server http://click.atdmt.com/AFF/go/sdnxxaff00300020aff/direct/01/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- DF and MF Clayton Mascarenhas (Apr 01)
- Re: DF and MF Jeff Nathan (Apr 05)
- Re: DF and MF Andreas Östling (Apr 07)
- Re: DF and MF Jeff Nathan (Apr 05)