Snort mailing list archives
RE: Snort Rules Help
From: "Hudak, Tyler" <Tyler.Hudak () roadway com>
Date: Fri, 9 Jul 2004 16:10:52 -0400
Andy, What is going on here is that Snort sees fragmented packets as IP packets, not UDP packets. Unless you have the frag2 preprocessor turned on, Snort will see the fragments as IP packets. Once you turn on the frag2 preprocessor Snort will look at each individual fragment as IP packets and the completed packet as its protocol, in this case UDP. In other words, with frag2 on Snort will essentially see the packet twice. If you set your alert rule as the following: alert ip any any -> any any (msg: "Unexpected unclassified traffic"; classtype: unexpected-traffic; fragoffset:0;) then it will only alert on the initial fragment of the packets, and no others. I assume that you must have two rules to alert then - the one above and the original one. If that is the case, then you will still get all of the individual fragments as they will alert on your original rule. Can you send exactly what your new rules are? To solve your immediate need, you could set up the following two rules: alert ip any any -> any any (msg: "Unexpected unclassified traffic - initial fragment"; classtype: unexpected-traffic; fragoffset:0;) alert ip any any -> any any (msg: "Unexpected unclassified traffic"; classtype: unexpected-traffic; fragoffset:0; fragbits:!M;) The first rule will alert only on the initial fragment. The second rule will alert on any IP packet that does not have the more fragbits flag set (meaning its part of a fragment train) and the fragmentation offset is 0. The caveat to the second rule is that if someone sets the fragmentation offset on a non-fragmented packet you will not log it, even it you had wanted to. May I make a suggestion though and leave it like it is? Fragmentation on a network isn't necessarily normal and so you typically want to see all the fragmentation that comes into your network. It could be a sign of someone trying to bypass your firewall/IDS. Tyler
Current thread:
- Snort Rules Help Cunningham, Andy (Jul 09)
- Message not available
- Re: Snort Rules Help Matt Kettler (Jul 09)
- Message not available
- <Possible follow-ups>
- RE: Snort Rules Help Esler, Joel - Contractor (Jul 09)
- RE: Snort Rules Help Hudak, Tyler (Jul 09)
- RE: Snort Rules Help Cunningham, Andy (Jul 15)