[Snort-users] Tiny Fragments
dr at ...50...
Fri Oct 6 20:29:22 EDT 2000
On Fri, 06 Oct 2000, you wrote:
> I'm seeing VPN traffic being reported as:
> [**] Tiny Fragments - Possible Hostile Activity [**]
> 10/03-18:41:33.171903 18.104.22.168 -> 22.214.171.124
> TTL:32 TOS:0x0 ID:51306 MF
> Frag Offset: 0x0 Frag Size: 0x38
> There is no matching signature in the visions.conf file, so where
> is this one coming from and how can I suppress it?
These come from the minfrag preprocessor. The default snort-lib
setting reports on all fragments smaller than 128 characters.
Off hand I don't know what tools woould default to 38 byte
fragments (it ain't hping2, fragrouter, or nmap, unless
someone has learned to use the command line opts :-)
If they are all the same size.... that would be suspicious
traffic in my book. (both your examples were 38)
And as a suggestion for everyone posting samples...
the -O obfuscate option will obfuscate your IP.
(Now I wonder it -O could be upgraded to also
obfuscate the IP from the data payload dump.... :-)
More information about the Snort-users