Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: (spp_frag2) Oversized fragment, probable DoS

From: Martin Roesch <roesch () sourcefire com>
Date: Fri, 13 Feb 2004 20:49:53 -0500
Hi Charles,
That alert is generated if the defragger tries to reassemble a packet that has a final size greater than 65535 bytes, the largest allowable IP packet.
Is that offset 35520 *bytes* into the packet? If so that looks like a problem. What platform are you running on? Have you tried upgrading to 2.0.6? 

        -Marty

On Feb 13, 2004, at 1:49 PM, Finney Charles E wrote:
Received the following running Snort ver 2.0.0: (spp_frag2) Oversized fragment, probable DoS 

The alerts logged are all of the form:
1.2.3.4 > 5.6.7.8: icmp (frag 30970:1480@35520+)
0x0000   4500 05dc 78fa 3158 7e01 f3d1 0102 0304       E...x.1X~....+`F
0x0010 0506 0708 efbe adde efbe adde efbe adde .5.U............ 0x0020 efbe adde efbe adde efbe adde efbe adde ................ 
...
0x05d0   efbe adde efbe adde efbe adde                  ............
Fully half of the 2800 alerts were for offset 35520. The traffic appears to have been stimulated by an application called "SiSandra". The Snort doc offers no clue as to the rationale for generating the alert, as best I can tell.
Any knowledge about what trips "(spp_frag2) Oversized fragment" appreciated. 

Thanks,
Charles E. Finney
Deere & Company



-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56&alloc_id438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users



--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch () sourcefire com - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org



-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56&alloc_id438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: