[Snort-users] Source/Dest IPs for Tiny Fragments

Nathan Spande NSpande at ...620...
Wed Jan 17 11:44:05 EST 2001


Hey snorters,

We see a number of Tiny Fragments every day around here, and after doing
some looking into it (thanks Roman!) it seems that snort 1.7 doesn't log
source or dest IPs into our database.  However, it seems that other folks
get IPs in their output, when logs get sent to a flat file, or a syslog.
Now, I don't want to sound jealous, but frankly, I think all of us using
databases should feel hurt.  Where's the love?

Anyway, we can't be the only ones getting frustrated when we see "unknown"
as the source and dest IPs for these alerts.  My guess is that it might have
something to do with the determination of what to log based on protocol,
since the syslog function doesn't do that, and it gets the IPs just fine.
Has the TCP/UDP/ICMP determination not been made for the minfrag processor?

Thanks,

Nathan




More information about the Snort-users mailing list