Snort mailing list archives

(no subject)

From: "Finney Charles E" <FinneyCharlesE () JohnDeere com>
Date: Mon, 16 Feb 2004 11:18:16 -0600

I understand the explanation.  Sort of.  However:
1. As icmp echo replies, I have the expectation that the replies contain the echo request data.  The pre-processor did 
not alert on any echo requests, so why replies?  BTW, the MTU is 1500 end-to-end, so the fragmentation was done by the 
src host in each direction, not intervining routers.

2. Given a "Total Length" field at ip[2:2] with a max value of 65535, what transpires to give > 65535?  If the src does 
not support > 65507 the an error is returned and no data is sent.  I have no understanding of what will actually 
transpire if the src can do > 65507 and the dst cannot.

3. What am I missing in interpretation of the packet that points to trouble as a function of offset 35520?  My trusty 
calculator shows 35520 div 8 = 4440, looks like all the numbers comply with the rfcs.  Yes/No?  Or are you simply 
saying crafted ping traffic with these kinds of sizes are trouble?

4. No, we haven't upgraded anywhere.  A lab project for sure - typical in up to our eyeballs problem.

Thanks,
Charlie

Cc: snort-users () lists sourceforge net
From: Martin Roesch <roesch () sourcefire com>
Subject: Re: [Snort-users] (spp_frag2) Oversized fragment, probable DoS
Date: Fri, 13 Feb 2004 20:49:53 -0500
To: "Finney Charles E" <FinneyCharlesE () JohnDeere com>

Hi Charles,

That alert is generated if the defragger tries to reassemble a packet=20
that has a final size greater than 65535 bytes, the largest allowable=20
IP packet.

Is that offset 35520 *bytes* into the packet?  If so that looks like a=20=

problem.  What platform are you running on?  Have you tried upgrading=20
to 2.0.6?

      -Marty

On Feb 13, 2004, at 1:49 PM, Finney Charles E wrote:

Received the following running Snort ver 2.0.0: (spp_frag2) Oversized=20=

fragment, probable DoS

The alerts logged are all of the form:
1.2.3.4 > 5.6.7.8: icmp (frag 30970:1480@35520+)
0x0000   4500 05dc 78fa 3158 7e01 f3d1 0102 0304       =

E...x.1X~....+`F

0x0010   0506 0708 efbe adde efbe adde efbe adde       =20
.5.U............
0x0020   efbe adde efbe adde efbe adde efbe adde       =20
................
...
0x05d0   efbe adde efbe adde efbe adde                  ............

Fully half of the 2800 alerts were for offset 35520.  The traffic=20
appears to have been stimulated by an application called "SiSandra". =20=




-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56&alloc_id438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

(no subject) jhally (Jan 26)
- <Possible follow-ups>
- (no subject) tony . williams (Jan 26)
- (no subject) Finney Charles E (Feb 16)
- (no subject) sumit vora (Feb 22)
  - Re: (no subject) Keith W. McCammon (Feb 22)
- (no subject) marcio (Feb 23)
- (no subject) Kris (Mar 30)