Snort mailing list archives
(spp_frag2) Oversized fragment, probable DoS
From: "Finney Charles E" <FinneyCharlesE () JohnDeere com>
Date: Fri, 13 Feb 2004 12:49:09 -0600
Received the following running Snort ver 2.0.0: (spp_frag2) Oversized fragment, probable DoS The alerts logged are all of the form: 1.2.3.4 > 5.6.7.8: icmp (frag 30970:1480@35520+) 0x0000 4500 05dc 78fa 3158 7e01 f3d1 0102 0304 E...x.1X~....+`F 0x0010 0506 0708 efbe adde efbe adde efbe adde .5.U............ 0x0020 efbe adde efbe adde efbe adde efbe adde ................ ... 0x05d0 efbe adde efbe adde efbe adde ............ Fully half of the 2800 alerts were for offset 35520. The traffic appears to have been stimulated by an application called "SiSandra". The Snort doc offers no clue as to the rationale for generating the alert, as best I can tell. Any knowledge about what trips "(spp_frag2) Oversized fragment" appreciated. Thanks, Charles E. Finney Deere & Company ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id56&alloc_id438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- (spp_frag2) Oversized fragment, probable DoS Finney Charles E (Feb 13)
- Re: (spp_frag2) Oversized fragment, probable DoS Martin Roesch (Feb 13)