[Snort-devel] snort and fragmentation

Chris Green cmg at ...402...
Thu Mar 27 06:24:28 EST 2003


rmkml <rmkml at ...1042...> writes:

> there was not an initial fragment ...
> and there was no fragment since 12h ...

If you really just want fragments to be logged

use the rule (untested - may need some syntax help

alert ip any any -> any any (msg: "frags... yawn"; fragbits: M+;)
alert ip any any -> any any (msg: "frags2... yawn"; fragoffset: >0;)

If firestorm is just alerting on a incomplete fragment, it's not
something that I've heard a good argument for considering the number
of times that will happen on boxes that people install 2 or 3 pcap
apps on.
-- 
Chris Green <cmg at ...402...>
I've had a perfectly wonderful evening. But this wasn't it.
     -- Groucho Marx




More information about the Snort-devel mailing list