No subject

Thu Nov 23 16:31:58 EST 2017

alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"MISC Tiny Fragments";
fragbits:M; dsize: < 25; classtype:bad-unknown; sid:522; rev:1;)

This has existed for a while and is the reason that we dumped the minfrag
preprocessor (as a historical note).  Tiny frags do happen, but I've rarely
see them outside of live attacks.  Then again, I don't hang on .edu networks
very much... ;)

>> Basically all the chaffing at the IP and TCP level is detectable as those
>> should not be normal conditions.
> Per the above, this is unfortunately not true, if you're watching a large
> traffic stream.  For small traffic streams (e.g., a hundred local hosts),
> yes, my experience has been that these don't normally occur.

Snort has both TCP and IP forward overlap detection and mitigation in its
stream and defrag preprocessors, something might not be working right
currently (we've been doing lots of dev work lately, it's not inconceivable
that something may have been broken).  When Dug sent me the message about
the problems back in January I took the time to fix the overlap conditions
and we worked out minimum TTL drops as well.  The chaffing conditions should
be defeated since then, we're doing some testing over here to see what's
going on and seeing if the readme.snort with fragroute needs some updating.

So, for the record:

1. older TCP retransmission chaff - FIXED in January

2. forward TCP segmentation overlap, favoring newer data - FIXED in January

3. chaff TCP segments with older TCP timestamp options forcing PAWS
elimination - NOT FIXED

4. older IP fragment duplicates - FIXED in January

5. IP duplicate fragment chaff with bad options - NOT FIXED

6. either TCP or IP chaffing with short TTLs - FIXED in January

We currently *do not* have the following:

PAWS detection/bad packet drops
IP frags with bad options drops

I'll see about adding them this weekend.

As a side note, it might be nice if we could test the commercial systems out
there to see how they fare, the damn media is having a field day with this


Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)290-1616
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...402... -
Snort: Open Source Network IDS -

More information about the Snort-devel mailing list