Snort mailing list archives

Re: bad frag bits

From: Brian <bmc () snort org>
Date: Tue, 25 Nov 2003 11:05:31 -0500

On Mon, Nov 24, 2003 at 10:00:39PM +0100, Samuel C. Adams wrote:

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC bad frag
bits"; fragbits:MD; sid:1322; classtype:misc-activity; rev:5;) 

So... I believe this signature generates alerts when packets with both
the don't fragment and more fragments bits are set. Anyone see this
alert much?


Yep.  And it shows up quite a bit on big NFS networks.  This rule will be
disabled by default the next time I do a rules commit.

-b


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
Does SourceForge.net help you be more productive?  Does it
help you create better code?  SHARE THE LOVE, and help us help
YOU!  Click Here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

bad frag bits Samuel C. Adams (Nov 25)
- Re: bad frag bits Brian (Nov 25)
  - snort inline && current rules. /dev/null (Nov 25)
    - Re: snort inline && current rules. Matt Kettler (Nov 25)
    - Re: snort inline && current rules. /dev/null (Nov 25)
    - Re: snort inline && current rules. Jeff Nathan (Nov 25)
    - Re: snort inline && current rules. Matt Kettler (Nov 25)
    - Re: snort inline && current rules. /dev/null (Nov 25)
    - Re: snort inline && current rules. Josh Berry (Nov 25)
    - snort inline behavior /dev/null (Nov 25)
    - Re: snort inline behavior /dev/null (Nov 26)
    - Re: snort inline behavior Stephan Scholz (Nov 26)

(Thread continues...)