[Snort-users] Tiny Fragments

Jed Pickel jed at ...153...
Fri Oct 6 18:48:37 EDT 2000


> I'm seeing VPN traffic being reported as:
> 
> [**] Tiny Fragments - Possible Hostile Activity [**]
> 10/03-18:41:33.171903 192.86.6.100 -> 63.197.77.21
>  TTL:32 TOS:0x0 ID:51306  MF
> Frag Offset: 0x0   Frag Size: 0x38
> 
> There is no matching signature in the visions.conf file, so where
> is this one coming from and how can I suppress it?

That is the minfrag preprocessor. You will need to comment it out of 
your configuration file or change the argument to suppress the
message.

Here are the lines from snort-lib.

# minfrag takes the minimum fragment size (in bytes) threshold as its argument
# fragmented packets at of below this size will cause an alert to be generated

# preprocessor minfrag: 128
^

* Jed



More information about the Snort-users mailing list