[Snort-users] defrag preprocessor oddity on HP-UX

Dragos Ruiu dr at ...381...
Thu Oct 5 23:57:03 EDT 2000

On Thu, 05 Oct 2000, Ralf Hildebrandt wrote:
> I just recently installed snort-1.6.3 beta 2 -- and AT LAST the defrag
> preprocessor seems to worg (e.g. snort doesn't crash after 5 minutes)
> Nevertheless I noticed some oddities: I use snort to monitor a small subset
> of the 134.169/16 subnet; the preprocessor reports:
> Oct  5 14:19:58 stahlw06 snort[2271]: Mostly Empty Fragmented Packet
> Discarded!: ->
> Oct  5 14:24:54 stahlw06 snort[2271]: Mostly Empty Fragmented Packet
> Discarded!: ->
> These Addresses make no sense -- but if you swap bytes 1&2 with 3&4, the
> addresses might just be ok?!
> becomes

That alert is from the jolt2 protection code....

If the packet is huge and most of the fragments for it
are missing when the tail segment is received(such as 
in a jolt2 attack) it discards it and should give that 
message. (Not that a bug could be out of the question. :-)

Monstergrams in the presence of heavy packet loss 
could false this... but it seems _very_ unlikely to occur
naturally to me...


Dragos Ruiu <dr at ...50...>   dursec.com ltd. / kyx.net - we're from the future 
gpg/pgp key on file at wwwkeys.pgp.net

More information about the Snort-users mailing list