[Snort-users] Tiny Fragments
jed at ...153...
Fri Oct 6 18:48:37 EDT 2000
> I'm seeing VPN traffic being reported as:
> [**] Tiny Fragments - Possible Hostile Activity [**]
> 10/03-18:41:33.171903 184.108.40.206 -> 220.127.116.11
> TTL:32 TOS:0x0 ID:51306 MF
> Frag Offset: 0x0 Frag Size: 0x38
> There is no matching signature in the visions.conf file, so where
> is this one coming from and how can I suppress it?
That is the minfrag preprocessor. You will need to comment it out of
your configuration file or change the argument to suppress the
Here are the lines from snort-lib.
# minfrag takes the minimum fragment size (in bytes) threshold as its argument
# fragmented packets at of below this size will cause an alert to be generated
# preprocessor minfrag: 128
More information about the Snort-users