Snort mailing list archives
(no subject)
From: "Finney Charles E" <FinneyCharlesE () JohnDeere com>
Date: Mon, 16 Feb 2004 11:18:16 -0600
I understand the explanation. Sort of. However: 1. As icmp echo replies, I have the expectation that the replies contain the echo request data. The pre-processor did not alert on any echo requests, so why replies? BTW, the MTU is 1500 end-to-end, so the fragmentation was done by the src host in each direction, not intervining routers. 2. Given a "Total Length" field at ip[2:2] with a max value of 65535, what transpires to give > 65535? If the src does not support > 65507 the an error is returned and no data is sent. I have no understanding of what will actually transpire if the src can do > 65507 and the dst cannot. 3. What am I missing in interpretation of the packet that points to trouble as a function of offset 35520? My trusty calculator shows 35520 div 8 = 4440, looks like all the numbers comply with the rfcs. Yes/No? Or are you simply saying crafted ping traffic with these kinds of sizes are trouble? 4. No, we haven't upgraded anywhere. A lab project for sure - typical in up to our eyeballs problem. Thanks, Charlie
Cc: snort-users () lists sourceforge net From: Martin Roesch <roesch () sourcefire com> Subject: Re: [Snort-users] (spp_frag2) Oversized fragment, probable DoS Date: Fri, 13 Feb 2004 20:49:53 -0500 To: "Finney Charles E" <FinneyCharlesE () JohnDeere com> Hi Charles, That alert is generated if the defragger tries to reassemble a packet=20 that has a final size greater than 65535 bytes, the largest allowable=20 IP packet.
Is that offset 35520 *bytes* into the packet? If so that looks like a=20= problem. What platform are you running on? Have you tried upgrading=20 to 2.0.6? -Marty On Feb 13, 2004, at 1:49 PM, Finney Charles E wrote:Received the following running Snort ver 2.0.0: (spp_frag2) Oversized=20=fragment, probable DoS The alerts logged are all of the form: 1.2.3.4 > 5.6.7.8: icmp (frag 30970:1480@35520+) 0x0000 4500 05dc 78fa 3158 7e01 f3d1 0102 0304 =
E...x.1X~....+`F
0x0010 0506 0708 efbe adde efbe adde efbe adde =20 .5.U............ 0x0020 efbe adde efbe adde efbe adde efbe adde =20 ................ ... 0x05d0 efbe adde efbe adde efbe adde ............ Fully half of the 2800 alerts were for offset 35520. The traffic=20 appears to have been stimulated by an application called "SiSandra". =20=
------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id56&alloc_id438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- (no subject) jhally (Jan 26)
- <Possible follow-ups>
- (no subject) tony . williams (Jan 26)
- (no subject) Finney Charles E (Feb 16)
- (no subject) sumit vora (Feb 22)
- Re: (no subject) Keith W. McCammon (Feb 22)
- (no subject) marcio (Feb 23)
- (no subject) Kris (Mar 30)