[Snort-users] Checking for "Frag Offset"

Matt Kettler mkettler at ...4108...
Tue Mar 26 13:11:09 EST 2002


I suspect you're confusing two things:

1) the "content" rule for snort matches packet data, not headers, so if 
this text was in the header, a content: rule won't catch it anyway.

2) The literal text "Frag Offset" text should not be in the headers of 
fragmented packets. That's a human-readable decode of the binary header. 
They don't contain "port" "tcp" or any other such fluff either. The "Frag 
Offset" field of an IP header is bits 50 through 63 in the header, but that 
won't help you much.

I'd use the fragbits:M+ option of a snort rule to detect a fragmented 
packet (one which has the "More Fragments" bit set)

As for your other question about "don't fragment" use fragbits:D+


see the docs for more detail

http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.7

At 03:25 PM 3/26/2002 -0500, Sheahan, Paul (PCLN-NW) wrote:

>I am trying to do some testing and analysis on fragmented packets. Looking
>at the headers of fragmented packets, they always contain "Frag Offset:" in
>them. So I tried to have Snort alert on packets with content of "Frag
>Offset" as a test, but no alerts were generated even though many packets
>with "Frag Offset" in the header had entered the network.
>
>Is there another way I can have Snort alert on fragmented packets, such as
>with the flags: Snort option or something?
>
>Thanks!
>
>_______________________________________________
>Snort-users mailing list
>Snort-users at lists.sourceforge.net
>Go to this URL to change user options or unsubscribe:
>https://lists.sourceforge.net/lists/listinfo/snort-users
>Snort-users list archive:
>http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list