[Snort-devel] snort v1.91 and v2.00 = pb tcp Frag BOINK ...

rmkml rmkml at ...1042...
Wed May 21 12:00:11 EDT 2003


Hi,

I use snort v1.9.1b234 and snort v2.0.0b72,

and I receive this frag packet this morning : (join tcpdump/pcap file)

10:27:33.010308 81.51.106.64 > 80.14.9.206: tcp (frag 0:20 at ...1995...+) (ttl
251, len 40)

snort NOT event this ! (and prelude-nids not event)

firestorm (other nids) event this :
May 21 10:27:33 crusoe 11 firestorm-nids053pre3frag: 1053505653.010309
alert=ipfrag sig=4.0 priority=5 src=81.51.106.64 dst=80.14.9.206
proto=6  : Boink

and found doc on boink :
http://www.attrition.org/security/denial/w/bonk.dos.html

My question is:

WHY snort not event boink ...
and

WHY snort not event teardrop attack ?

Snort have big pb with many frag attack ...

Regard.

Crusoe Researchs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: firestorm-frag_boink.tcpdump.gz
Type: application/x-gzip
Size: 1156 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030521/00c2edb4/attachment.bin>


More information about the Snort-devel mailing list