[Snort-users] defrag preprocessor oddity on HP-UX

Dragos Ruiu dr at ...381...
Thu Oct 5 23:57:03 EDT 2000


On Thu, 05 Oct 2000, Ralf Hildebrandt wrote:
> 
> I just recently installed snort-1.6.3 beta 2 -- and AT LAST the defrag
> preprocessor seems to worg (e.g. snort doesn't crash after 5 minutes)
> 
> Nevertheless I noticed some oddities: I use snort to monitor a small subset
> of the 134.169/16 subnet; the preprocessor reports:
> 
> Oct  5 14:19:58 stahlw06 snort[2271]: Mostly Empty Fragmented Packet
> Discarded!: 217.143.134.169 -> 79.157.134.169
> Oct  5 14:24:54 stahlw06 snort[2271]: Mostly Empty Fragmented Packet
> Discarded!: 163.53.134.169 -> 41.195.134.169
> 
> These Addresses make no sense -- but if you swap bytes 1&2 with 3&4, the
> addresses might just be ok?!
> 79.157.134.169 becomes 134.169.79.157
>


That alert is from the jolt2 protection code....

If the packet is huge and most of the fragments for it
are missing when the tail segment is received(such as 
in a jolt2 attack) it discards it and should give that 
message. (Not that a bug could be out of the question. :-)

Monstergrams in the presence of heavy packet loss 
could false this... but it seems _very_ unlikely to occur
naturally to me...

cheers,
--dr

-- 
Dragos Ruiu <dr at ...50...>   dursec.com ltd. / kyx.net - we're from the future 
gpg/pgp key on file at wwwkeys.pgp.net



More information about the Snort-users mailing list