[Snort-sigs] False Positive for SID 1322: bad frag bits

Sam Gorton sgorton at ...1636...
Thu Jun 26 11:54:10 EDT 2003

I saw SID 1322 pretty consistently between Linux hosts communicating 
via NFS. Apparently Linux sets the DF bit on fragments while doing UDP 
PMTU discovery, a matter of some controversy and a definite false 
positive situation.

Reference: http://kerneltrap.org/node.php?id=579

Sam Gorton                |   Skaion Corporation
sgorton at ...1636...   |   (781) 396-1095

More information about the Snort-sigs mailing list