[Snort-users] Tiny Fragments

Adam Olson adamo at ...41...
Fri Oct 6 19:08:20 EDT 2000


  Bob,

  It's coming from:

  preprocessor minfrag: 128

  in your config...you can change this to whatever works best for your
  net.

  Adam
  

On Fri, 6 Oct 2000, Bob Van Cleef wrote:

> 
> I'm seeing VPN traffic being reported as:
> 
> [**] Tiny Fragments - Possible Hostile Activity [**]
> 10/03-18:41:33.171903 192.86.6.100 -> 63.197.77.21
>  TTL:32 TOS:0x0 ID:51306  MF
> Frag Offset: 0x0   Frag Size: 0x38
> 
> There is no matching signature in the visions.conf file, so where
> is this one coming from and how can I suppress it?
> 
> Bob
> -- 
> ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>  ><>
> Bob Van Cleef, Member of Technical Staff         (408) 734-8100
> MicroUnity Systems Engineering, Inc.         FAX (408) 734-8136
> 475 Potrero Ave., Sunnyvale, CA 94086   vancleef at ...211...
> 
> Sample Packet DUMP:
> 
> [**] Tiny Fragments - Possible Hostile Activity [**]
> 10/03-09:19:39.925356 192.86.6.100 -> 63.197.77.21
>  TTL:32 TOS:0x10 ID:20808  MF
> Frag Offset: 0x0   Frag Size: 0x38
> 00 00 30 01 00 00 03 5C FB 93 7F 33 12 14 C7 19  ..0....\...3....
> DE 9C D0 19 23 88 8C 67 A5 0E B1 C1 FD 72 4F EC  ....#..g.....rO.
> C0 B1 66 90 CF B0 4D 7C C7 B1 60 79 FD DA 3E 64  ..f...M|..`y..>d
> A7 4C 12 87 44 BD A0 01                          .L..D...
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
> 




More information about the Snort-users mailing list