Snort mailing list archives
Re: frag3 Fragmentation overlap Alert
From: "Michael Green" <Michael.Green () gbst com>
Date: Fri, 9 Jan 2009 10:49:30 +1000
Todd thanks for helping me think straight! Since the cisco's send ospf updates to a multicast address, I bound that address to an unused profile (bsd in my network) and removed "detect_anomalies" for that profile. The alerts have stoped! Thank you Michael
Hi Michael, The bind_to argument applies to destination IP addresses, so if the Cisco routers are the ones creating the fragments, i.e. are the source IP addresses, your frag3_engine configuration which lists the Cisco IPs won't be used and the default one will. The frag3_engine configuration is related to how the *receiver* will deal with the fragments. bind_to <ip_list> - IP List to bind this engine to. This engine will only run for packets with destination addresses contained within the IP List. Default value is "all". What you'll need to do is list the IPs that the Cisco traffic is going to. If this isn't possible another solution might be to enable preprocessor and decoder events and comment the fragmentation overlap event in preproc_rules/preprocessor.rules. You'll need to rebuild Snort with "--enable-decoder-preprocessor-rules" and uncomment the following in snort.conf: # include $PREPROC_RULE_PATH/preprocessor.rules # include $PREPROC_RULE_PATH/decoder.rules and comment the following in preproc_rules/preprocessor.rules: alert ( msg: "FRAG3_ANOMALY_OVLP"; sid: 8; gid: 123; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; ) Note that doing this will disable this event completely. Todd Michael Green wrote:
Hi I'm running snort 2.8.3.1 on CentOS 5. I'm getting a lot of alerts from frag3 for a Fragmentation overlap. After doing a packet capture I can confirm that there is indeed Fragmentation overlap or at least repeats of the same fragment. Would snort count that as an overlap? Anyway it's one of my Cisco ASAs doing a large OSPF LS update and while I'd like to stop the firewall sending multiple fragments I also want to stop snort alerting on this! In my frag3 config I have the following specifically for my Cisco devices, I also have other policies for my other devices: preprocessor frag3_engine: policy last bind_to [</list of cisco ip's/>] Note I don't have "detect_anomalies" for this particular policy. I thought that this would stop the alerts, but apparently not. I would appreciate any suggestions on how to stop this? Also if "detect_anomalies" doesn't work as I thought what is it for? *Michael Green* Senior Network Engineer Global Banking & Securities Transactions http://gbst.com/ */One often meets his destiny on the road to avoiding it!/*//
------------------------------------------------------------------------
------------------------------------------------------------------------ ------
Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB
------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- frag3 Fragmentation overlap Alert Michael Green (Jan 08)
- Re: frag3 Fragmentation overlap Alert Joel Esler (Jan 08)
- Re: frag3 Fragmentation overlap Alert Michael Green (Jan 08)
- Re: frag3 Fragmentation overlap Alert Todd Wease (Jan 08)
- Re: frag3 Fragmentation overlap Alert Michael Green (Jan 08)
- Re: frag3 Fragmentation overlap Alert Joel Esler (Jan 08)