[Snort-users] Tiny Fragments

Bob Van Cleef vancleef at ...211...
Fri Oct 6 16:51:44 EDT 2000


I'm seeing VPN traffic being reported as:

[**] Tiny Fragments - Possible Hostile Activity [**]
10/03-18:41:33.171903 192.86.6.100 -> 63.197.77.21
 TTL:32 TOS:0x0 ID:51306  MF
Frag Offset: 0x0   Frag Size: 0x38

There is no matching signature in the visions.conf file, so where
is this one coming from and how can I suppress it?

Bob
-- 
><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>
Bob Van Cleef, Member of Technical Staff         (408) 734-8100
MicroUnity Systems Engineering, Inc.         FAX (408) 734-8136
475 Potrero Ave., Sunnyvale, CA 94086   vancleef at ...211...

Sample Packet DUMP:

[**] Tiny Fragments - Possible Hostile Activity [**]
10/03-09:19:39.925356 192.86.6.100 -> 63.197.77.21
 TTL:32 TOS:0x10 ID:20808  MF
Frag Offset: 0x0   Frag Size: 0x38
00 00 30 01 00 00 03 5C FB 93 7F 33 12 14 C7 19  ..0....\...3....
DE 9C D0 19 23 88 8C 67 A5 0E B1 C1 FD 72 4F EC  ....#..g.....rO.
C0 B1 66 90 CF B0 4D 7C C7 B1 60 79 FD DA 3E 64  ..f...M|..`y..>d
A7 4C 12 87 44 BD A0 01                          .L..D...





More information about the Snort-users mailing list