[Snort-devel] snort and fragmentation

rmkml rmkml at ...1042...
Thu Mar 27 01:52:35 EST 2003


Hi,

Im receive this morning, new packet fragment ...

and snort not event this !

(firestorm, [other nids] event this ...)

join tcpdump file with fragment ...

Why snort not event bad fragmentation ?

but snort view frag :
==========================================
Fragmentation Stats:
Fragmented IP Packets: 1          (0.000%)
    Fragment Trackers: 1
   Rebuilt IP Packets: 0
   Frag elements used: 0
Discarded(incomplete): 0
   Discarded(timeout): 0
  Frag2 memory faults: 0
==========================================

and same snort conf yesterday ...
and use snort version 191b234.

Regard.



rmkml wrote:

> Hi All,
>
> I receive this packet this morning : (join tcpdump file)
>
> but snort not event frag packet,
> (On this trace, not packet frag/end ..., and is strange snort event this
> ?)
>
> why ?
>
> Only this traffic on file, not other traffic with net 192.168.123.x.
> (ok my box have edonkey client (p2p) linux on tcp port 4662)
>
> but snort view frag packet :
> ========================
> Fragmentation Stats:
> Fragmented IP Packets: 2          (0.000%)
>     Fragment Trackers: 1
>    Rebuilt IP Packets: 0
>    Frag elements used: 0
> Discarded(incomplete): 0
>    Discarded(timeout): 0
>   Frag2 memory faults: 0
> =========================
>
> Other nids Firestorm event this ...
>
> I use snort 191b233.
>
> Regard.
>
> Conf snort frag :
>
> No arguments to frag2 directive, setting defaults to:
>     Fragment timeout: 60 seconds
>     Fragment memory cap: 4194304 bytes
>     Fragment min_ttl:   0
>     Fragment ttl_limit: 5
>     Fragment Problems: 0
>
> PS: Sorry for my bad speak English
>
>   ------------------------------------------------------------------------
>                       Name: frag.tcpdump.gz
>    frag.tcpdump.gz    Type: application/x-gzip
>                   Encoding: base64
-------------- next part --------------
A non-text attachment was scrubbed...
Name: frag2.tcpdump.gz
Type: application/x-gzip
Size: 20848 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030327/c71d4c3b/attachment.bin>


More information about the Snort-devel mailing list