[Snort-devel] snort v2: new pb Tiny Fragment ...

rmkml rmkml at ...1042...
Mon Apr 28 10:00:27 EDT 2003


Hi All,

Join trafic this morning (tcpdump file),

On this trafic, two udp session fragmented ...

but snort (191b234 and 200b72) not event this ...

(firestorm, other nids event this)

look tcpdump :

00:36:06.008479 62.252.112.33.1214 > 80.14.9.191.2337: [bad udp cksum
e946!] udp 1313 (frag 59834:552 at ...475...+) (ttl 111, len 572)
00:36:06.200405 62.252.112.33 > 80.14.9.191: udp (frag 59834:552 at ...1958...+)
(ttl 111, len 572)
00:36:06.236630 62.252.112.33 > 80.14.9.191: udp (frag 59834:217 at ...1959...)
(ttl 111, len 237)
00:36:06.236710 80.14.9.191 > 62.252.112.33: icmp: 80.14.9.191 udp port
2337 unreachable for 62.252.112.33.1214 > 80.14.9.191.2337: udp 1313
(ttl 111, id 59834, len 1341) [tos 0xc0]  (ttl 64, id 59479, len 576)

Why snort not event this ? (Tiny Fragment)

My snort conf is :
 preprocessor frag2

Regard.

look snort verbose :

===============================================================================

Snort processed 10 packets.
Breakdown by protocol:                Action Stats:
    TCP: 8          (80.000%)         ALERTS: 0
    UDP: 0          (0.000%)          LOGGED: 0
   ICMP: 2          (20.000%)         PASSED: 0
    ARP: 0          (0.000%)
  EAPOL: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 0          (0.000%)
===============================================================================

Wireless Stats:
Breakdown by type:
    Management Packets: 0          (0.000%)
    Control Packets:    0          (0.000%)
    Data Packets:       0          (0.000%)
===============================================================================

Fragmentation Stats:
Fragmented IP Packets: 6          (60.000%)
   Rebuilt IP Packets: 0
   Frag elements used: 0
Discarded(incomplete): 0
   Discarded(timeout): 0
===============================================================================

TCP Stream Reassembly Stats:
   TCP Packets Used:      0          (0.000%)
   Reconstructed Packets: 0          (0.000%)
   Streams Reconstructed: 0
===============================================================================


-------------- next part --------------
A non-text attachment was scrubbed...
Name: firestorm_tinyfragment.tcpdump.gz
Type: application/x-gzip
Size: 1839 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030428/6926b73f/attachment.bin>


More information about the Snort-devel mailing list