RE: Snort Rules Help

["Hudak, Tyler" <Tyler.Hudak () roadway com>]

Andy,

  What is going on here is that Snort sees fragmented packets as IP packets,
not UDP packets.  Unless you have the frag2 preprocessor turned on, Snort
will see the fragments as IP packets.  Once you turn on the frag2
preprocessor Snort will look at each individual fragment as IP packets and
the completed packet as its protocol, in this case UDP.  In other words,
with frag2 on Snort will essentially see the packet twice.

  If you set your alert rule as the following:

alert ip any any -> any any (msg: "Unexpected unclassified traffic";
classtype: unexpected-traffic; fragoffset:0;)

  then it will only alert on the initial fragment of the packets, and no
others.  I assume that you must have two rules to alert then - the one above
and the original one.  If that is the case, then you will still get all of
the individual fragments as they will alert on your original rule.

  Can you send exactly what your new rules are?

  To solve your immediate need, you could set up the following two rules:

  alert ip any any -> any any (msg: "Unexpected unclassified traffic -
initial fragment"; classtype: unexpected-traffic; fragoffset:0;)
  alert ip any any -> any any (msg: "Unexpected unclassified traffic";
classtype: unexpected-traffic; fragoffset:0; fragbits:!M;)

  The first rule will alert only on the initial fragment.  The second rule
will alert on any IP packet that does not have the more fragbits flag set
(meaning its part of a fragment train) and the fragmentation offset is 0.
The caveat to the second rule is that if someone sets the fragmentation
offset on a non-fragmented packet you will not log it, even it you had
wanted to.

  May I make a suggestion though and leave it like it is?  Fragmentation on
a network isn't necessarily normal and so you typically want to see all the
fragmentation that comes into your network.  It could be a sign of someone
trying to bypass your firewall/IDS.

Tyler