Snort mailing list archives
Re: (spp_frag2) Oversized fragment, probable DoS
From: Martin Roesch <roesch () sourcefire com>
Date: Fri, 13 Feb 2004 20:49:53 -0500
Hi Charles,That alert is generated if the defragger tries to reassemble a packet that has a final size greater than 65535 bytes, the largest allowable IP packet.
Is that offset 35520 *bytes* into the packet? If so that looks like a problem. What platform are you running on? Have you tried upgrading to 2.0.6?
-Marty On Feb 13, 2004, at 1:49 PM, Finney Charles E wrote:
Received the following running Snort ver 2.0.0: (spp_frag2) Oversized fragment, probable DoSThe alerts logged are all of the form: 1.2.3.4 > 5.6.7.8: icmp (frag 30970:1480@35520+) 0x0000 4500 05dc 78fa 3158 7e01 f3d1 0102 0304 E...x.1X~....+`F0x0010 0506 0708 efbe adde efbe adde efbe adde .5.U............ 0x0020 efbe adde efbe adde efbe adde efbe adde ................... 0x05d0 efbe adde efbe adde efbe adde ............Fully half of the 2800 alerts were for offset 35520. The traffic appears to have been stimulated by an application called "SiSandra". The Snort doc offers no clue as to the rationale for generating the alert, as best I can tell.Any knowledge about what trips "(spp_frag2) Oversized fragment" appreciated.Thanks, Charles E. Finney Deere & Company ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id56&alloc_id438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616 Sourcefire: Intelligent Security Monitoring roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id56&alloc_id438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- (spp_frag2) Oversized fragment, probable DoS Finney Charles E (Feb 13)
- Re: (spp_frag2) Oversized fragment, probable DoS Martin Roesch (Feb 13)