Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Frag2

From: "Blake Frantz" <blake () mc net>
Date: Mon, 14 Apr 2003 15:24:11 -0500

I'm running snort version 1.9.1-db (Build 231)

I've been getting a lot of "MISC Tiny Fragments" do to some 36 bytes packets
(including the IP header) that have been running through my network.  I've
done some research and determined the cause of this traffic but snort is not
alerting on rules I have set that define the packet in its defragmented
state.  So I took a look at my snort stats for frag2.

Fragmentation Stats:
Fragmented IP Packets: 88579      (0.736%)
    Fragment Trackers: 0         
   Rebuilt IP Packets: 0         
   Frag elements used: 0         
Discarded(incomplete): 0         
   Discarded(timeout): 0         
  Frag2 memory faults: 0       

After seeing the column of goose eggs there I thought something was up, or
I'm misunderstanding what "Rebuilt IP Packets: 0" means.  I upped the frag2
memcap to 50MB to see if that would help, but I'm still not getting any
alerts.

(from my snort.conf :: preprocessor frag2 memcap 50000000)

I fired up another packet defrager and got the following output:

Status     : Fragged packet compilation done for id=62d8 proto=UDP
Src        : a.b.179.7
Dst        : c.d.159.13
Src Port   : 62465
Dst Port   : 62465
Data       : [ data ]

....
....

Then added two rules to snort:

alert udp a.b.179.7 62465 -> c.d.159.13 62465 (msg:"YO BLAKE I";)
alert udp c.d.159.13 62465 -> a.b.179.7 62465 (msg:"YO BLAKE II";)

But still nothing...

Fragmentation Stats:
Fragmented IP Packets: 118998     (0.668%)
    Fragment Trackers: 0         
   Rebuilt IP Packets: 0         
   Frag elements used: 0         
Discarded(incomplete): 0         
   Discarded(timeout): 0         
  Frag2 memory faults: 0 

No alerts, no logs, no nothing.

Any idea what is going on here?

Thanks in advance,

Blake Frantz  CISSP, MCSE, CCNA, CNA
Security Engineer
mc.net
720 Industrial Drive #121
Cary, IL 60013
phn: (847)-594-5111 x5734
fax: (847)-639-0097
mailto:blake () mc net
http://www.mc.net

 
 



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: