[Snort-users] Frag2

Blake Frantz blake at ...319...
Mon Apr 14 13:25:03 EDT 2003


I'm running snort version 1.9.1-db (Build 231)

I've been getting a lot of "MISC Tiny Fragments" do to some 36 bytes packets
(including the IP header) that have been running through my network.  I've
done some research and determined the cause of this traffic but snort is not
alerting on rules I have set that define the packet in its defragmented
state.  So I took a look at my snort stats for frag2.

Fragmentation Stats:
Fragmented IP Packets: 88579      (0.736%)
    Fragment Trackers: 0         
   Rebuilt IP Packets: 0         
   Frag elements used: 0         
Discarded(incomplete): 0         
   Discarded(timeout): 0         
  Frag2 memory faults: 0       

After seeing the column of goose eggs there I thought something was up, or
I'm misunderstanding what "Rebuilt IP Packets: 0" means.  I upped the frag2
memcap to 50MB to see if that would help, but I'm still not getting any
alerts.

(from my snort.conf :: preprocessor frag2 memcap 50000000)

I fired up another packet defrager and got the following output:

Status     : Fragged packet compilation done for id=62d8 proto=UDP
Src        : a.b.179.7
Dst        : c.d.159.13
Src Port   : 62465
Dst Port   : 62465
Data       : [ data ]

....
....

Then added two rules to snort:

alert udp a.b.179.7 62465 -> c.d.159.13 62465 (msg:"YO BLAKE I";)
alert udp c.d.159.13 62465 -> a.b.179.7 62465 (msg:"YO BLAKE II";)

But still nothing...

Fragmentation Stats:
Fragmented IP Packets: 118998     (0.668%)
    Fragment Trackers: 0         
   Rebuilt IP Packets: 0         
   Frag elements used: 0         
Discarded(incomplete): 0         
   Discarded(timeout): 0         
  Frag2 memory faults: 0 

No alerts, no logs, no nothing.

Any idea what is going on here?

Thanks in advance,

Blake Frantz  CISSP, MCSE, CCNA, CNA
Security Engineer
mc.net
720 Industrial Drive #121
Cary, IL 60013
phn: (847)-594-5111 x5734
fax: (847)-639-0097
mailto:blake at ...319...
http://www.mc.net

 
 





More information about the Snort-users mailing list