Snort mailing list archives
RE: frag3 alerts
From: "Drew Burchett" <DrewB () united-systems com>
Date: Mon, 22 May 2006 13:45:52 -0500
This is my entire frag3 config: preprocessor frag3_global: max_frags 65536 preprocessor frag3_engine: policy linux bind_to [65.241.66.7,65.241.66.8,65.241.66.9,65.241.66.12,65.241.66.13,65.241.66 .70] preprocessor frag3_engine: policy windows bind_to [65.241.66.15,65.241.66.16,65.241.66.25] preprocessor frag3_engine: policy first detect_anomalies Drew Burchett United Systems & Software http://www.united-systems.com Phone: (270)527-3293 Fax: (270)527-3132
-----Original Message----- From: Joel Esler [mailto:joel.esler () sourcefire com] Sent: Monday, May 22, 2006 1:38 PM To: Drew Burchett Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] frag3 alerts -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 How do you have the rest of the frag3 entries set? Or is that the
only
entry you have? Joel Drew Burchett wrote:Well, I'm pretty sure I've got that set right. The host is running
Suse
Linux 10.0 and I've got the configuration set to: preprocessor frag3_engine: policy linux bind_to 65.241.66.12 That seemed to be how I should have it set according to the chart in README.frag3. Drew Burchett United Systems & Software http://www.united-systems.com Phone: (270)527-3293 Fax: (270)527-3132-----Original Message----- From: Joel Esler [mailto:joel.esler () sourcefire com] Sent: Monday, May 22, 2006 1:31 PM To: Drew Burchett Cc: snort-users () lists sourceforge net; rmkml Subject: Re: [Snort-users] frag3 alertsOf course. Frag3 is target based (tuned to the OS) of your machine. Therefore you need to create an entry in your snort.conf
specifically
tuned to the OS of your DNS server (and any other host on yournetwork)If you need further help, feel free to email the list or mepersonally,however, please review the examples in the snort.conf under the
frag3
heading. Joel Esler Drew Burchett wrote:From examining the packet capture, I?ve determined that the?offending?traffic is an NXDomain response from a valid root server. It?sbeingcaused by doing reverse lookups on spam email. However, the question remains, is there any way I can fine tune
the
frag3 preprocessor to avoid these false positives? Drew Burchett United Systems & Software http://www.united-systems.com Phone: (270)527-3293 Fax: (270)527-3132 * From: * snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] *On Behalf Of
*Drew
Burchett *Sent:* Monday, May 22, 2006 11:18 AM *To:* snort-users () lists sourceforge net *Subject:* [Snort-users] frag3 alerts I am seeing a lot of frag3 Fragmentation overlap alerts with my
DNS
server as the destination and a source address that reverses to arootserver. When examining the packets, the traffic seems to be
valid
DNStraffic, although it has nothing to do with any domains that I
host.
Isthis some sort of attack, or is it valid traffic that is throwingfalsepositives? If it is a false positive, is there any way I canfine-tunethe frag3 preprocessor to avoid these? Drew Burchett United Systems & Software http://www.united-systems.com Phone: (270)527-3293 Fax: (270)527-3132 -- CONFIDENTIALITY NOTICE: This e-mail message, including anyattachments,is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review,use,disclosure or distribution is prohibited. If you are not theintendedrecipient, please contact the sender by reply e-mail and destroy
all
copies of the original message. -- This message has been scanned for viruses and dangerous content by *MailScanner*
<http://www.mailscanner.info/>*,
andisbelieved to be clean. -- * *CONFIDENTIALITY NOTICE: This e-mail message, including anyattachments,is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review,use,disclosure or distribution is prohibited. If you are not theintendedrecipient, please contact the sender by reply e-mail and destroy
all
copies of the original message. * * -- This message has been scanned for viruses and dangerous content by *MailScanner*
<http://www.mailscanner.info/>,
andisbelieved to be clean. *-- CONFIDENTIALITY NOTICE: This e-mail message, including any
attachments,
is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEcgUDKbCSyXHckt4RAoTtAJ90GOaIdc/J5c7BrdQKI/zXb7mgygCfXGSI b7QvWUZeaKLTfbe6I0usa0k= =/rr2 -----END PGP SIGNATURE-----
-- CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message. -- This message has been scanned for viruses and dangerous content by MailScanner and is believed to be clean. ------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid0709&bid&3057&dat1642 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- frag3 alerts Drew Burchett (May 22)
- <Possible follow-ups>
- RE: frag3 alerts Drew Burchett (May 22)
- Re: frag3 alerts Joel Esler (May 22)
- RE: frag3 alerts Drew Burchett (May 22)
- Re: frag3 alerts Joel Esler (May 22)
- RE: frag3 alerts Drew Burchett (May 22)