Fwd: Re: [Snort-users] Tiny Fragments

Dragos Ruiu dr at ...50...
Sat Oct 7 00:31:25 EDT 2000

----------  Forwarded Message  ----------
Subject: Re: [Snort-users] Tiny Fragments
Date: Fri, 6 Oct 2000 21:25:55 -0700
From: Dragos Ruiu <dr at ...381...>
To: Lance Spitzner <lance at ...185...>

All the artificial tools make tiny fragments and thus can be spotted as
suspicious. In other words using the nmap -f flag stands for "find me
in the IDS logs."  :-)

Afaik, fragmentation was originally meant to handle mediation between
devices with different MTU while the higher layer algorithms (e.g. TCP) 
hunts around for optimized values.  I've never really seen any net 
devices with MTUs smaller than 512 bytes/characters... (ATM 53 byte 
cells included because they have their own SAR function and buffers
at the AAL5 sublayer.)

So all those small fragments should either be the remnants on
the tail end of a packet or are indicative of some "synthetic"
traffic (i.e. hacking) tool. I would love to hear about any 
contradictory real life traffic that negates this observation....


Dragos Ruiu <dr at ...50...>   dursec.com ltd. / kyx.net - we're from the future 
gpg/pgp key on file at wwwkeys.pgp.net

More information about the Snort-users mailing list