Snort mailing list archives

Previous By Date Next
Previous By Thread Next

bad frag bits

From: scadams () t-online de (Samuel C. Adams)
Date: Mon, 24 Nov 2003 22:00:39 +0100
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC bad frag
bits"; fragbits:MD; sid:1322; classtype:misc-activity; rev:5;) 

So... I believe this signature generates alerts when packets with both
the don't fragment and more fragments bits are set. Anyone see this
alert much? I'm seeing it primarily with udp packets coming from
audio/video streaming sites (i.e. Realnetworks, Kontiki, Shockwave). 
Usually these udp packets are fairly large and it's possible they have
to travel
over a link with low MTU at some point. Is it possible to fragment
packets if the don't fragment bit is set? Are there routers out there
that do that? 

I thought routers were supposed to send ICMP code 3 type 4 messages
(Fragmentation Needed and Don't Fragment was Set) if they are forced to
deal with packets out that are too large. Is that not always the case? 



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: