[Snort-users] snort sees no fragmented attack

Matt Kettler mkettler at ...4108...
Fri Aug 9 09:28:02 EDT 2002

My first inclination after reading the snrot.conf Holger is using is to ask 
how bad is the packet drop rate?

The reason I ask is that HOME_NET, EXTERNAL_NET and HTTP_SERVERS are all 
set to 'any' ... That's going to put a pretty painful load on snort.

Send a kill -USR1 to snort and then look.

also the rule in question uses HTTP_PORTS, being a relatively new rule, but 
the snort.conf doesn't contain this variable, being from an old snort. Is 
snort even successfully loading this rules files? or is snort bombing out 
on startup because it can't understand the syntax of the rule files?

when upgrading your rulefiles note that the rules tarball contains a new 
snort.conf.. don't ignore it. It's in with the rules tarball for a very 
significant reason.

At 04:09 PM 8/9/2002 +0200, Andreas Östling wrote:

>On Fri, 9 Aug 2002 Holger.Woehle at ...2701... wrote:
> > echo "GET /aaaaaaa/aaa/aaaaa/aaaaaaaa/aaaaaaa/bcc/bin/ps" | nc
>I think this should work since you seem to have frag2 loaded...
>(perhaps a very old version?)
>I tried 1.9beta2 on 100 mtu ethernet and snort had no trouble with
>that packet/rule (alert was generated).
>This sf.net email is sponsored by:ThinkGeek
>Welcome to geek heaven.
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

More information about the Snort-users mailing list