[Snort-users] bad frag bits

Brian bmc at ...950...
Tue Nov 25 08:06:30 EST 2003


On Mon, Nov 24, 2003 at 10:00:39PM +0100, Samuel C. Adams wrote:
> alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC bad frag
> bits"; fragbits:MD; sid:1322; classtype:misc-activity; rev:5;) 
> 
> So... I believe this signature generates alerts when packets with both
> the don't fragment and more fragments bits are set. Anyone see this
> alert much? 

Yep.  And it shows up quite a bit on big NFS networks.  This rule will be
disabled by default the next time I do a rules commit.

-b




More information about the Snort-users mailing list