[Snort-users] bad frag bits
bmc at ...950...
Tue Nov 25 08:06:30 EST 2003
On Mon, Nov 24, 2003 at 10:00:39PM +0100, Samuel C. Adams wrote:
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC bad frag
> bits"; fragbits:MD; sid:1322; classtype:misc-activity; rev:5;)
> So... I believe this signature generates alerts when packets with both
> the don't fragment and more fragments bits are set. Anyone see this
> alert much?
Yep. And it shows up quite a bit on big NFS networks. This rule will be
disabled by default the next time I do a rules commit.
More information about the Snort-users