frag3 Fragmentation overlap Alert

["Michael Green" <Michael.Green () gbst com>]

Hi

 

I'm running snort 2.8.3.1 on CentOS 5. I'm getting a lot of alerts from
frag3 for a Fragmentation overlap. After doing a packet capture I can
confirm that there is indeed Fragmentation overlap or at least repeats
of the same fragment. Would snort count that as an overlap?

 

Anyway it's one of my Cisco ASAs doing a large OSPF LS update and while
I'd like to stop the firewall sending multiple fragments I also want to
stop snort alerting on this!

 

In my frag3 config I have the following specifically for my Cisco
devices, I also have other policies for my other devices:

                preprocessor frag3_engine: policy last bind_to [<list of
cisco ip's>]

 

Note I don't have "detect_anomalies" for this particular policy. I
thought that this would stop the alerts, but apparently not.

 

I would appreciate any suggestions on how to stop this? Also if
"detect_anomalies" doesn't work as I thought what is it for?

 

Michael Green

Senior Network Engineer

Global Banking & Securities Transactions 

http://gbst.com/ <http://gbst.com/> 

One often meets his destiny on the road to avoiding it!

 

------------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It is the best place to buy or sell services for
just about anything Open Source.
http://p.sf.net/sfu/Xq1LFB

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users