Snort mailing list archives
Frag2
From: "Blake Frantz" <blake () mc net>
Date: Mon, 14 Apr 2003 15:24:11 -0500
I'm running snort version 1.9.1-db (Build 231) I've been getting a lot of "MISC Tiny Fragments" do to some 36 bytes packets (including the IP header) that have been running through my network. I've done some research and determined the cause of this traffic but snort is not alerting on rules I have set that define the packet in its defragmented state. So I took a look at my snort stats for frag2. Fragmentation Stats: Fragmented IP Packets: 88579 (0.736%) Fragment Trackers: 0 Rebuilt IP Packets: 0 Frag elements used: 0 Discarded(incomplete): 0 Discarded(timeout): 0 Frag2 memory faults: 0 After seeing the column of goose eggs there I thought something was up, or I'm misunderstanding what "Rebuilt IP Packets: 0" means. I upped the frag2 memcap to 50MB to see if that would help, but I'm still not getting any alerts. (from my snort.conf :: preprocessor frag2 memcap 50000000) I fired up another packet defrager and got the following output: Status : Fragged packet compilation done for id=62d8 proto=UDP Src : a.b.179.7 Dst : c.d.159.13 Src Port : 62465 Dst Port : 62465 Data : [ data ] .... .... Then added two rules to snort: alert udp a.b.179.7 62465 -> c.d.159.13 62465 (msg:"YO BLAKE I";) alert udp c.d.159.13 62465 -> a.b.179.7 62465 (msg:"YO BLAKE II";) But still nothing... Fragmentation Stats: Fragmented IP Packets: 118998 (0.668%) Fragment Trackers: 0 Rebuilt IP Packets: 0 Frag elements used: 0 Discarded(incomplete): 0 Discarded(timeout): 0 Frag2 memory faults: 0 No alerts, no logs, no nothing. Any idea what is going on here? Thanks in advance, Blake Frantz CISSP, MCSE, CCNA, CNA Security Engineer mc.net 720 Industrial Drive #121 Cary, IL 60013 phn: (847)-594-5111 x5734 fax: (847)-639-0097 mailto:blake () mc net http://www.mc.net ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort & RHL 9 Brian M. Diehl (Apr 11)
- Re: Snort & RHL 9 David T Hollis (Apr 11)
- RE: Snort & RHL 9 Paul D. Shaffer (Apr 11)
- RE: Snort & RHL 9 Patrick S. Harper (Apr 12)
- Frag2 Blake Frantz (Apr 14)