[Snort-devel] snort v2 pb with tcp frag (teardrop)

rmkml rmkml at ...1042...
Thu May 15 02:51:10 EDT 2003


Hi,

I received two packets this night : (join tcpdump file)

21:05:44.193817 80.14.226.35 > 81.48.102.221: tcp (frag 0:20 at ...1467...) (ttl
251, len 40)
21:06:27.489400 80.14.226.35 > 81.48.102.221: tcp (frag 0:20 at ...1984...) (ttl
251, len 40)

81.48.102.221 is my ip ... (no other trafic with ip 80.14.226.35)

Firestorm (other nids) event Teardrop,

but snort v200b72 or v191b234 not event this ...
(on freebsd4.8)

Why ?

my conf :
No arguments to frag2 directive, setting defaults to:
    Fragment timeout: 60 seconds
    Fragment memory cap: 4194304 bytes
    Fragment min_ttl:   0
    Fragment ttl_limit: 5
    Fragment Problems: 0

Regard.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: firestorm-teardrop.tcpdump.gz
Type: application/x-gzip
Size: 148 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030515/9089af79/attachment.bin>


More information about the Snort-devel mailing list