Re: frag3 Fragmentation overlap Alert

["Michael Green" <Michael.Green () gbst com>]

Todd

thanks for helping me think straight! 

Since the cisco's send ospf updates to a multicast address, I bound that
address to an unused profile (bsd in my network) and removed
"detect_anomalies" for that profile. The alerts have stoped!

Thank you

Michael

> > > >


Hi Michael,

The bind_to argument applies to destination IP addresses, so if the
Cisco routers are the ones creating the fragments, i.e. are the source
IP addresses, your frag3_engine configuration which lists the Cisco IPs
won't be used and the default one will.  The frag3_engine configuration
is related to how the *receiver* will deal with the fragments.

bind_to <ip_list> - IP List to bind this engine to.  This engine will
only
                         run for packets with destination addresses
contained
                         within the IP List.  Default value is "all".

What you'll need to do is list the IPs that the Cisco traffic is going
to.  If this isn't possible another solution might be to enable
preprocessor and decoder events and comment the fragmentation overlap
event in preproc_rules/preprocessor.rules.  You'll need to rebuild Snort
with "--enable-decoder-preprocessor-rules" and uncomment the following
in snort.conf:

# include $PREPROC_RULE_PATH/preprocessor.rules
# include $PREPROC_RULE_PATH/decoder.rules

and comment the following in preproc_rules/preprocessor.rules:

alert ( msg: "FRAG3_ANOMALY_OVLP"; sid: 8; gid: 123; rev: 1; metadata:
rule-type preproc ; classtype:protocol-command-decode; )

Note that doing this will disable this event completely.

Todd


Michael Green wrote:
> Hi
>
>  
>
> I'm running snort 2.8.3.1 on CentOS 5. I'm getting a lot of alerts
> from frag3 for a Fragmentation overlap. After doing a packet capture I
> can confirm that there is indeed Fragmentation overlap or at least
> repeats of the same fragment. Would snort count that as an overlap?
>
>  
>
> Anyway it's one of my Cisco ASAs doing a large OSPF LS update and
> while I'd like to stop the firewall sending multiple fragments I also
> want to stop snort alerting on this!
>
>  
>
> In my frag3 config I have the following specifically for my Cisco
> devices, I also have other policies for my other devices:
>
>                 preprocessor frag3_engine: policy last bind_to [</list
> of cisco ip's/>]
>
>  
>
> Note I don't have "detect_anomalies" for this particular policy. I
> thought that this would stop the alerts, but apparently not.
>
>  
>
> I would appreciate any suggestions on how to stop this? Also if
> "detect_anomalies" doesn't work as I thought what is it for?
>
>  
>
> *Michael Green*
>
> Senior Network Engineer
>
> Global Banking & Securities Transactions
>
> http://gbst.com/
>
> */One often meets his destiny on the road to avoiding it!/*//
>
>  
------------------------------------------------------------------------
>
------------------------------------------------------------------------
------
> Check out the new SourceForge.net Marketplace.
> It is the best place to buy or sell services for
> just about anything Open Source.
> http://p.sf.net/sfu/Xq1LFB
------------------------------------------------------------------------
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users


------------------------------------------------------------------------------
Check out the new SourceForge.net Marketplace.
It is the best place to buy or sell services for
just about anything Open Source.
http://p.sf.net/sfu/Xq1LFB
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users