[Snort-users] Source/Dest IPs for Tiny Fragments
jed at ...153...
Thu Jan 18 15:48:13 EST 2001
On Wed, Jan 17, 2001 at 11:14:46AM -0600, Chris Green wrote:
> This patch was for cvs of a while ago but it will probably apply with
> a limited amount of fuzz.
Hey Chris (and others interested logging fragments to the database),
I just committed a slightly modified your patch to address this
issue. Browsing the IP RFC there are circumstances where all IP
options may not make it in a fragment (so I added a check for
that) and moved a couple other small things around. Anyway, grab
the latest from CVS make sure it works for you.
Next step is to add layer 4 and ICMP header logging for fragments in
circumstances where that info is available. First I'll need to rewrite
how queries are built to do this most efficiently.
> Nathan Spande <NSpande at ...620...> writes:
> > Hey snorters,
> > We see a number of Tiny Fragments every day around here, and after doing
> > some looking into it (thanks Roman!) it seems that snort 1.7 doesn't log
> > source or dest IPs into our database. However, it seems that other folks
> > get IPs in their output, when logs get sent to a flat file, or a syslog.
> > Now, I don't want to sound jealous, but frankly, I think all of us using
> > databases should feel hurt. Where's the love?
> > Anyway, we can't be the only ones getting frustrated when we see "unknown"
> > as the source and dest IPs for these alerts. My guess is that it might have
> > something to do with the determination of what to log based on protocol,
> > since the syslog function doesn't do that, and it gets the IPs just fine.
> > Has the TCP/UDP/ICMP determination not been made for the minfrag processor?
> > Thanks,
> > Nathan
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > http://lists.sourceforge.net/lists/listinfo/snort-users
> Chris Green <cmg at ...671...>
> *"Ow! He's visiously smashing my kneecaps with his face!"
> - Crispin Cowan
More information about the Snort-users