Re: Checking for "Frag Offset"

[Matt Kettler <mkettler () evi-inc com>]

I suspect you're confusing two things:

1) the "content" rule for snort matches packet data, not headers, so if 
this text was in the header, a content: rule won't catch it anyway.

2) The literal text "Frag Offset" text should not be in the headers of 
fragmented packets. That's a human-readable decode of the binary header. 
They don't contain "port" "tcp" or any other such fluff either. The "Frag 
Offset" field of an IP header is bits 50 through 63 in the header, but that 
won't help you much.

I'd use the fragbits:M+ option of a snort rule to detect a fragmented 
packet (one which has the "More Fragments" bit set)

As for your other question about "don't fragment" use fragbits:D+


see the docs for more detail

http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.7

At 03:25 PM 3/26/2002 -0500, Sheahan, Paul (PCLN-NW) wrote:

> I am trying to do some testing and analysis on fragmented packets. Looking
> at the headers of fragmented packets, they always contain "Frag Offset:" in
> them. So I tried to have Snort alert on packets with content of "Frag
> Offset" as a test, but no alerts were generated even though many packets
> with "Frag Offset" in the header had entered the network.
>
> Is there another way I can have Snort alert on fragmented packets, such as
> with the flags: Snort option or something?
>
> Thanks!
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users