[Snort-users] Missing port number in alert file.

Matt Kettler mkettler at ...4108...
Thu Aug 15 08:57:02 EDT 2002

Teardrop attacks aren't port dependent. It's a pure IP layer attack 
involving overlapping fragments. The spp_frag2 that detected the error 
isn't even aware that tcp or udp exist, so the idea of port numbers don't 
make sense to it. The message output layers identified it as a UDP packet, 
but really, since it's a teardrop packet it doesn't matter what port it's 
to, it's bad.

in this case one of a few things might cause this message:

1) or one of the routers in the path to it has a *very* buggy 
IP stack, i.e. it can't properly fragment packets.
2) you're running a very old, buggy version of snort (pre 1.8) which has 
bugs in the frag preprocessor. (some very old versions of snort have buggy 
stream/frag handling)
3) this packet is part of an attempt to evade IDS detection, via fragroute 
or similar tools.
4) this is a lame attempt perform a denial of service attack on

At 01:30 PM 8/15/2002 +0800, SW wrote:
>I dont' know why there is no port number shown in the alert file when there
>is a Frag attach, ( for example a Teardrop attack).
>Here is a sample alert msg:
>[**] [113:2:1] spp_frag2: Teardrop attack [**]
>08/13/02-02:02:45.980187 ->
>UDP TTL:64 TOS:0x0 ID:242 IpLen:20 DgmLen:24
>Frag Offset: 0x0003   Frag Size: 0x0001
>Port number is missing in the second line of this msg.
>Is this a bug of Snort?
>This sf.net email is sponsored by: OSDN - Tired of that same old
>cell phone?  Get a new here for FREE!
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:

More information about the Snort-users mailing list