[Snort-users] Tiny Fragments

Dragos Ruiu dr at ...50...
Fri Oct 6 20:29:22 EDT 2000


On Fri, 06 Oct 2000, you wrote:
> I'm seeing VPN traffic being reported as:
> 
> [**] Tiny Fragments - Possible Hostile Activity [**]
> 10/03-18:41:33.171903 192.86.6.100 -> 63.197.77.21
>  TTL:32 TOS:0x0 ID:51306  MF
> Frag Offset: 0x0   Frag Size: 0x38
> 
> There is no matching signature in the visions.conf file, so where
> is this one coming from and how can I suppress it?


These come from the minfrag preprocessor.  The default snort-lib 
setting reports on all fragments smaller than 128 characters.

Off hand I don't know what tools woould default to 38 byte
fragments (it ain't hping2, fragrouter, or nmap, unless 
someone has learned to use the command line opts :-)

If they are all the same size.... that would be suspicious 
traffic in my book. (both your examples were 38)

And as a suggestion for everyone posting samples...
the -O obfuscate option will obfuscate your IP.
(Now I wonder it -O could be upgraded to also
obfuscate the IP from the data payload dump.... :-)


cheers,
--dr




More information about the Snort-users mailing list