[Snort-devel] frag2 problems

Nathan W. Labadie ab0781 at ...839...
Tue Jan 22 12:25:05 EST 2002


Specs:
Linux-Mandrake 8.1, kernel 2.4.18-pre3, gcc 2.96, latest cvs snort 
pulled from SNORT_1_8.

I just updated snort to the latest in SNORT_1_8 and started noticing a 
few problems with frag2. In less than 15 minutes, snort logged close to 
50,000 alerts running against two /16 networks. All of the alerts are 
listed as "spp_frag2: Teardrop attack". Looking through the output in 
tcpdump shows that they _are_ fragmented packets (don't know why),
but they are definitely _not_ teardrop attacks. Any ideas?

-- 
Nathan W. Labadie       | ab0781 at ...839...	
Sr. Security Specialist | 313/577.2126
Wayne State University  | 313/577.1338 fax
C&IT Information Security Office: http://security.wayne.edu




More information about the Snort-devel mailing list