[Snort-users] defrag preprocessor oddity on HP-UX

Ralf Hildebrandt Ralf.Hildebrandt at ...22...
Thu Oct 5 17:24:17 EDT 2000


I just recently installed snort-1.6.3 beta 2 -- and AT LAST the defrag
preprocessor seems to worg (e.g. snort doesn't crash after 5 minutes)

Nevertheless I noticed some oddities: I use snort to monitor a small subset
of the 134.169/16 subnet; the preprocessor reports:

Oct  5 14:19:58 stahlw06 snort[2271]: Mostly Empty Fragmented Packet
Discarded!: 217.143.134.169 -> 79.157.134.169
Oct  5 14:24:54 stahlw06 snort[2271]: Mostly Empty Fragmented Packet
Discarded!: 163.53.134.169 -> 41.195.134.169

These Addresses make no sense -- but if you swap bytes 1&2 with 3&4, the
addresses might just be ok?!
79.157.134.169 becomes 134.169.79.157

-- 
ralf.hildebrandt at ...22...
Dipl.-Informatiker                                       innominate AG
system engineer                                      networking people
tel: +49.30.308806-62  fax: -77   http://innominate.de  pgp at request
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 358 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20001005/e3d5eb91/attachment.sig>


More information about the Snort-users mailing list