[Snort-devel] snort: new pb with frag packet ...

rmkml rmkml at ...1042...
Fri Apr 4 05:57:31 EST 2003


Hi,

I use snort 191b234 (not tested v2.x)

and I have this pb this morning : (GMT+1)

11:00:02.765279 193.251.188.120 > 81.51.107.221: (frag 0:20 at ...1906...) (ttl
247, len 40)
11:00:43.942568 193.251.188.120 > 81.51.107.221: (frag 0:20 at ...1467...) (ttl
247, len 40)
11:01:25.139910 193.251.188.120 > 81.51.107.221: (frag 0:20 at ...1907...) (ttl
247, len 40)

Snort not alarm with this packets,

WHY ?

other product nids :
firestorm alarm : teardrop event ...

join tcpdump file,
and ip 193.251.x.x does not have any other traficsince 24h.
and this ip is certainly spoofed...

frag stats :
==============================
Fragmentation Stats:
Fragmented IP Packets: 8          (0.001%)
    Fragment Trackers: 3
   Rebuilt IP Packets: 0
   Frag elements used: 0
Discarded(incomplete): 0
   Discarded(timeout): 1
  Frag2 memory faults: 0
===============================
Yes I have other frag packet and same pb ... (and not same ip src)
Snort discarded 1 packet ? (logged ?)

and view my frag conf :
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0

Regard

PS: sorry for my bad speak English.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: teardrop-frag.tcpdump.gz
Type: application/x-gzip
Size: 176 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030404/0822926d/attachment.bin>


More information about the Snort-devel mailing list