[Snort-devel] frag2 problems

Martin Roesch roesch at ...402...
Tue Jan 22 13:21:01 EST 2002


Oops, my bad.  I fixed some stuff this weekend and didn't initialize a
new variable that is in the system to pickup teardrop attacks, so what
do you know it always goes off for every fragmented packet.  Brilliant,
eh?  Anyway, I checked the fix into CVS a couple minutes ago, sorry for
the screwup.

     -Marty

"Nathan W. Labadie" wrote:
> 
> Specs:
> Linux-Mandrake 8.1, kernel 2.4.18-pre3, gcc 2.96, latest cvs snort
> pulled from SNORT_1_8.
> 
> I just updated snort to the latest in SNORT_1_8 and started noticing a
> few problems with frag2. In less than 15 minutes, snort logged close to
> 50,000 alerts running against two /16 networks. All of the alerts are
> listed as "spp_frag2: Teardrop attack". Looking through the output in
> tcpdump shows that they _are_ fragmented packets (don't know why),
> but they are definitely _not_ teardrop attacks. Any ideas?
> 
> --
> Nathan W. Labadie       | ab0781 at ...839...
> Sr. Security Specialist | 313/577.2126
> Wayne State University  | 313/577.1338 fax
> C&IT Information Security Office: http://security.wayne.edu
> 
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

--
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...402... - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org




More information about the Snort-devel mailing list