[Snort-devel] frag2 alerts

Nathan W. Labadie ab0781 at ...839...
Tue Jun 4 06:51:12 EDT 2002


This is with the latest CVS for SNORT_1_8, using linux on an i686.

I have the following in snort.conf:
preprocessor frag2: memcap 16777216, timeout 30

Note that detect_state_problems is not enabled, but I still seem to be 
receiving alerts from spp_frag2:

06/04-09:33:18.879747  [**] [113:5:1] spp_frag2: Duplicate first fragments 
[**] {UDP} 63.250.205.5 -> 141.x.x.x
06/04-09:35:48.512416  [**] [113:5:1] spp_frag2: Duplicate first fragments 
[**] {UDP} 63.250.205.5 -> 141.x.x.x
06/04-09:35:49.231044  [**] [113:5:1] spp_frag2: Duplicate first fragments 
[**] {UDP} 63.250.205.5 -> 141.x.x.x

Any ideas on how to fix this?

Thanks much,
Nate

NOTE: I'm not on the list, please include me in the reply.

-- 
Nathan W. Labadie       | ab0781 at ...839...	
Sr. Security Specialist | 313-577-2126
Wayne State University  | 313-577-1338 fax
C&IT Information Security Office: http://security.wayne.edu





More information about the Snort-devel mailing list