Fwd: Re: [Snort-users] Tiny Fragments
dr at ...50...
Sat Oct 7 00:31:25 EDT 2000
---------- Forwarded Message ----------
Subject: Re: [Snort-users] Tiny Fragments
Date: Fri, 6 Oct 2000 21:25:55 -0700
From: Dragos Ruiu <dr at ...381...>
To: Lance Spitzner <lance at ...185...>
All the artificial tools make tiny fragments and thus can be spotted as
suspicious. In other words using the nmap -f flag stands for "find me
in the IDS logs." :-)
Afaik, fragmentation was originally meant to handle mediation between
devices with different MTU while the higher layer algorithms (e.g. TCP)
hunts around for optimized values. I've never really seen any net
devices with MTUs smaller than 512 bytes/characters... (ATM 53 byte
cells included because they have their own SAR function and buffers
at the AAL5 sublayer.)
So all those small fragments should either be the remnants on
the tail end of a packet or are indicative of some "synthetic"
traffic (i.e. hacking) tool. I would love to hear about any
contradictory real life traffic that negates this observation....
Dragos Ruiu <dr at ...50...> dursec.com ltd. / kyx.net - we're from the future
gpg/pgp key on file at wwwkeys.pgp.net
More information about the Snort-users