[Snort-devel] frag2 problems
Martin Roesch
roesch at ...402...
Tue Jan 22 13:21:01 EST 2002
Oops, my bad. I fixed some stuff this weekend and didn't initialize a
new variable that is in the system to pickup teardrop attacks, so what
do you know it always goes off for every fragmented packet. Brilliant,
eh? Anyway, I checked the fix into CVS a couple minutes ago, sorry for
the screwup.
-Marty
"Nathan W. Labadie" wrote:
>
> Specs:
> Linux-Mandrake 8.1, kernel 2.4.18-pre3, gcc 2.96, latest cvs snort
> pulled from SNORT_1_8.
>
> I just updated snort to the latest in SNORT_1_8 and started noticing a
> few problems with frag2. In less than 15 minutes, snort logged close to
> 50,000 alerts running against two /16 networks. All of the alerts are
> listed as "spp_frag2: Teardrop attack". Looking through the output in
> tcpdump shows that they _are_ fragmented packets (don't know why),
> but they are definitely _not_ teardrop attacks. Any ideas?
>
> --
> Nathan W. Labadie | ab0781 at ...839...
> Sr. Security Specialist | 313/577.2126
> Wayne State University | 313/577.1338 fax
> C&IT Information Security Office: http://security.wayne.edu
>
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel
--
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
More information about the Snort-devel
mailing list