[Snort-devel] snort and fragmentation
cmg at ...402...
Thu Mar 27 06:24:28 EST 2003
rmkml <rmkml at ...1042...> writes:
> there was not an initial fragment ...
> and there was no fragment since 12h ...
If you really just want fragments to be logged
use the rule (untested - may need some syntax help
alert ip any any -> any any (msg: "frags... yawn"; fragbits: M+;)
alert ip any any -> any any (msg: "frags2... yawn"; fragoffset: >0;)
If firestorm is just alerting on a incomplete fragment, it's not
something that I've heard a good argument for considering the number
of times that will happen on boxes that people install 2 or 3 pcap
Chris Green <cmg at ...402...>
I've had a perfectly wonderful evening. But this wasn't it.
-- Groucho Marx
More information about the Snort-devel