Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: frag3 Fragmentation overlap Alert

From: "Michael Green" <Michael.Green () gbst com>
Date: Fri, 9 Jan 2009 09:06:18 +1000
Joel

 

I'm seeing repeat fragments, i.e. the same fragment repeated 2 maybe 3 times.

 

Also yes my frag3 policies bound to address lists come first followed by a catch all windows rule last. 

 

On Jan 8, 2009, at 5:13 PM, Michael Green allegedly wrote:





Hi

 

I'm running snort 2.8.3.1 on CentOS 5. I'm getting a lot of alerts from frag3 for a Fragmentation overlap. After doing 
a packet capture I can confirm that there is indeed Fragmentation overlap or at least repeats of the same fragment. 
Would snort count that as an overlap?

 

Anyway it's one of my Cisco ASAs doing a large OSPF LS update and while I'd like to stop the firewall sending multiple 
fragments I also want to stop snort alerting on this!

 

In my frag3 config I have the following specifically for my Cisco devices, I also have other policies for my other 
devices:

                preprocessor frag3_engine: policy last bind_to [<list of cisco ip's>]

 

Note I don't have "detect_anomalies" for this particular policy. I thought that this would stop the alerts, but 
apparently not.

 

I would appreciate any suggestions on how to stop this? Also if "detect_anomalies" doesn't work as I thought what is it 
for?

 

Two things to remember, are you seeing fragmentation overlap when you look at the packets?  If so, of course Snort is 
going to alert.  

 

Second thing is, remember that if you have multiple policy lines within the frag3_engine piece of the frag3 
configuration, you are going to want to go from "most specific" to "least specific".  Please see the README.frag3 on 
the doc/ directory of the Snort tarball.


--

Joel Esler

  http://www.joelesler.nethttp://www.twitter.com/joelesler

[m]

 


------------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It is the best place to buy or sell services for
just about anything Open Source.
http://p.sf.net/sfu/Xq1LFB
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: