[Snort-users] Checking for "Frag Offset"

Sheahan, Paul (PCLN-NW) Paul.Sheahan at ...2218...
Tue Mar 26 12:33:18 EST 2002


I am trying to do some testing and analysis on fragmented packets. Looking
at the headers of fragmented packets, they always contain "Frag Offset:" in
them. So I tried to have Snort alert on packets with content of "Frag
Offset" as a test, but no alerts were generated even though many packets
with "Frag Offset" in the header had entered the network.

Is there another way I can have Snort alert on fragmented packets, such as
with the flags: Snort option or something?

Thanks!




More information about the Snort-users mailing list