[Snort-users] (no subject)
mkettler at ...4108...
Mon Dec 1 12:20:03 EST 2003
At 01:36 PM 12/1/2003, CGhercoias at ...8619... wrote:
>Does anyone know what they mean?
>#(3 - 1249126) [2003-11-28 11:11:24] [snort/1322] BAD-TRAFFIC bad frag
>IPv4: 177.x.x.x -> 177.y.y.y
This rule (bad frag bits) means that the "don't fragment" bit is set at the
same time as the "more fragments" bit.. This is a RFC violation, but it's
an incredibly common thing for broken IP stacks to do.
In theory any packet with DF that would need fragmentation must be dropped
and an error message returned.
More information about the Snort-users