[Snort-users] (no subject)

Matt Kettler mkettler at ...4108...
Mon Dec 1 12:20:03 EST 2003


At 01:36 PM 12/1/2003, CGhercoias at ...8619... wrote:
>Does anyone know what they mean?

<snip>

>------
>#(3 - 1249126) [2003-11-28 11:11:24] [snort/1322]  BAD-TRAFFIC bad frag
>bits
>IPv4: 177.x.x.x -> 177.y.y.y

This rule (bad frag bits) means that the "don't fragment" bit is set at the 
same time as the "more fragments" bit.. This is a RFC violation, but it's 
an incredibly common thing for broken IP stacks to do.

In theory any packet with DF that would need fragmentation must be dropped 
and an error message returned. 





More information about the Snort-users mailing list