Snort mailing list archives
Re: (no subject)
From: Matt Kettler <mkettler () evi-inc com>
Date: Mon, 01 Dec 2003 15:20:56 -0500
At 01:36 PM 12/1/2003, CGhercoias () TWEC COM wrote:
Does anyone know what they mean?
<snip>
------ #(3 - 1249126) [2003-11-28 11:11:24] [snort/1322] BAD-TRAFFIC bad frag bits IPv4: 177.x.x.x -> 177.y.y.y
This rule (bad frag bits) means that the "don't fragment" bit is set at the same time as the "more fragments" bit.. This is a RFC violation, but it's an incredibly common thing for broken IP stacks to do.
In theory any packet with DF that would need fragmentation must be dropped and an error message returned.
------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- (no subject) Kristian Schling (Oct 08)
- Re: (no subject) Ralf Spenneberg (Oct 09)
- <Possible follow-ups>
- (no subject) Dave . Hartley (Oct 15)
- (no subject) Cluett, Russell (Oct 22)
- (no subject) Bob Apthorpe (Oct 28)
- (no subject) Kaplan, Andrew H. (Nov 04)
- Re: (no subject) Olaf Schreck (Nov 04)
- RE: (no subject) Kaplan, Andrew H. (Nov 05)
- RE: (no subject) Kaplan, Andrew H. (Nov 05)
- (no subject) CGhercoias (Dec 01)
- Message not available
- Re: (no subject) Matt Kettler (Dec 01)
- Message not available
- Re: (no subject) Jim Brown (Dec 01)
- (no subject) wfz (Dec 05)
- (no subject) Andrew Sergeyev (Dec 12)
- (no subject) Russell Fulton (Dec 12)
- (no subject) JP Vossen (Dec 19)
- (no subject) Kumar, Manoj (Dec 22)