[Snort-devel] frag2 alerts

Nathan W. Labadie ab0781 at ...839...
Fri Jun 7 15:29:03 EDT 2002


Still seeing spp_frag2 alerts with the latest CVS:

06/07-10:57:38.586498  [**] [113:3:1] spp_frag2: TTL EVASION (reassemble) 
detection [**] {UDP} x.x.x.x -> x.x.x.x
06/07-10:57:38.586547  [**] [113:3:1] spp_frag2: TTL EVASION (reassemble) 
detection [**] {UDP} x.x.x.x -> x.x.x.x
06/07-18:15:45.306311  [**] [113:3:1] spp_frag2: TTL EVASION (reassemble) 
detection [**] {TCP} x.x.x.x -> x.x.x.x

On Tue, Jun 04, 2002 at 03:56:33PM -0400, Chris Green wrote:
> "Nathan W. Labadie" <ab0781 at ...839...> writes:
> 
> > This is with the latest CVS for SNORT_1_8, using linux on an i686.
> >
> > I have the following in snort.conf:
> > preprocessor frag2: memcap 16777216, timeout 30
> >
> > Note that detect_state_problems is not enabled, but I still seem to be 
> > receiving alerts from spp_frag2:
> >
> > 06/04-09:33:18.879747  [**] [113:5:1] spp_frag2: Duplicate first fragments 
> > [**] {UDP} 63.250.205.5 -> 141.x.x.x
> > 06/04-09:35:48.512416  [**] [113:5:1] spp_frag2: Duplicate first fragments 
> > [**] {UDP} 63.250.205.5 -> 141.x.x.x
> > 06/04-09:35:49.231044  [**] [113:5:1] spp_frag2: Duplicate first fragments 
> > [**] {UDP} 63.250.205.5 -> 141.x.x.x
> >
> > Any ideas on how to fix this?
> >
> 
> CVS update :-)
> 
> Thanks for the bug report. Wish you could have done it about 12 hours
> earlier :p
> -- 
> Chris Green <cmg at ...402...>
> To err is human, to moo bovine.

-- 
Nathan W. Labadie       | ab0781 at ...839...	
Sr. Security Specialist | 313-577-2126
Wayne State University  | 313-577-1338 fax
C&IT Information Security Office: http://security.wayne.edu




More information about the Snort-devel mailing list