Snort mailing list archives
Re: frag3 Fragmentation overlap Alert
From: "Michael Green" <Michael.Green () gbst com>
Date: Fri, 9 Jan 2009 09:06:18 +1000
Joel I'm seeing repeat fragments, i.e. the same fragment repeated 2 maybe 3 times. Also yes my frag3 policies bound to address lists come first followed by a catch all windows rule last. On Jan 8, 2009, at 5:13 PM, Michael Green allegedly wrote: Hi I'm running snort 2.8.3.1 on CentOS 5. I'm getting a lot of alerts from frag3 for a Fragmentation overlap. After doing a packet capture I can confirm that there is indeed Fragmentation overlap or at least repeats of the same fragment. Would snort count that as an overlap? Anyway it's one of my Cisco ASAs doing a large OSPF LS update and while I'd like to stop the firewall sending multiple fragments I also want to stop snort alerting on this! In my frag3 config I have the following specifically for my Cisco devices, I also have other policies for my other devices: preprocessor frag3_engine: policy last bind_to [<list of cisco ip's>] Note I don't have "detect_anomalies" for this particular policy. I thought that this would stop the alerts, but apparently not. I would appreciate any suggestions on how to stop this? Also if "detect_anomalies" doesn't work as I thought what is it for? Two things to remember, are you seeing fragmentation overlap when you look at the packets? If so, of course Snort is going to alert. Second thing is, remember that if you have multiple policy lines within the frag3_engine piece of the frag3 configuration, you are going to want to go from "most specific" to "least specific". Please see the README.frag3 on the doc/ directory of the Snort tarball. -- Joel Esler http://www.joelesler.net http://www.twitter.com/joelesler [m]
------------------------------------------------------------------------------ Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- frag3 Fragmentation overlap Alert Michael Green (Jan 08)
- Re: frag3 Fragmentation overlap Alert Joel Esler (Jan 08)
- Re: frag3 Fragmentation overlap Alert Michael Green (Jan 08)
- Re: frag3 Fragmentation overlap Alert Todd Wease (Jan 08)
- Re: frag3 Fragmentation overlap Alert Michael Green (Jan 08)
- Re: frag3 Fragmentation overlap Alert Joel Esler (Jan 08)