[Snort-users] Missing port number in alert file.
mkettler at ...4108...
Thu Aug 15 08:57:02 EDT 2002
Teardrop attacks aren't port dependent. It's a pure IP layer attack
involving overlapping fragments. The spp_frag2 that detected the error
isn't even aware that tcp or udp exist, so the idea of port numbers don't
make sense to it. The message output layers identified it as a UDP packet,
but really, since it's a teardrop packet it doesn't matter what port it's
to, it's bad.
in this case one of a few things might cause this message:
1) 126.96.36.199 or one of the routers in the path to it has a *very* buggy
IP stack, i.e. it can't properly fragment packets.
2) you're running a very old, buggy version of snort (pre 1.8) which has
bugs in the frag preprocessor. (some very old versions of snort have buggy
3) this packet is part of an attempt to evade IDS detection, via fragroute
or similar tools.
4) this is a lame attempt perform a denial of service attack on 192.168.1.2
At 01:30 PM 8/15/2002 +0800, SW wrote:
>I dont' know why there is no port number shown in the alert file when there
>is a Frag attach, ( for example a Teardrop attack).
>Here is a sample alert msg:
>[**] [113:2:1] spp_frag2: Teardrop attack [**]
>08/13/02-02:02:45.980187 188.8.131.52 -> 192.168.1.2
>UDP TTL:64 TOS:0x0 ID:242 IpLen:20 DgmLen:24
>Frag Offset: 0x0003 Frag Size: 0x0001
>Port number is missing in the second line of this msg.
>Is this a bug of Snort?
>This sf.net email is sponsored by: OSDN - Tired of that same old
>cell phone? Get a new here for FREE!
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>Snort-users list archive:
More information about the Snort-users