[Snort-users] Source/Dest IPs for Tiny Fragments

Chris Green cmg at ...671...
Wed Jan 17 12:14:46 EST 2001

A while ago, I wrote a patch for this so that the ip src/dst was
stored.  I think Jed is pretty swamped right now.

This patch was for cvs of a while ago but it will probably apply with
a limited amount of fuzz.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: spo_database-frag.patch
Type: text/x-patch
Size: 1864 bytes
Desc: minfrag patch
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20010117/0b0b9279/attachment.bin>
-------------- next part --------------

Nathan Spande <NSpande at ...620...> writes:

> Hey snorters,
> We see a number of Tiny Fragments every day around here, and after doing
> some looking into it (thanks Roman!) it seems that snort 1.7 doesn't log
> source or dest IPs into our database.  However, it seems that other folks
> get IPs in their output, when logs get sent to a flat file, or a syslog.
> Now, I don't want to sound jealous, but frankly, I think all of us using
> databases should feel hurt.  Where's the love?
> Anyway, we can't be the only ones getting frustrated when we see "unknown"
> as the source and dest IPs for these alerts.  My guess is that it might have
> something to do with the determination of what to log based on protocol,
> since the syslog function doesn't do that, and it gets the IPs just fine.
> Has the TCP/UDP/ICMP determination not been made for the minfrag processor?
> Thanks,
> Nathan
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users

Chris Green <cmg at ...671...>
*"Ow!  He's visiously smashing my kneecaps with his face!"
	- Crispin Cowan

More information about the Snort-users mailing list