[Snort-users] (spp_frag2) Oversized fragment, probable DoS

Finney Charles E FinneyCharlesE at ...2134...
Fri Feb 13 11:07:06 EST 2004


Received the following running Snort ver 2.0.0: (spp_frag2) Oversized fragment, probable DoS 

The alerts logged are all of the form:
1.2.3.4 > 5.6.7.8: icmp (frag 30970:1480 at ...11202...+)
0x0000   4500 05dc 78fa 3158 7e01 f3d1 0102 0304       E...x.1X~....+`F
0x0010   0506 0708 efbe adde efbe adde efbe adde        .5.U............
0x0020   efbe adde efbe adde efbe adde efbe adde        ................
...
0x05d0   efbe adde efbe adde efbe adde                  ............

Fully half of the 2800 alerts were for offset 35520.  The traffic appears to have been stimulated by an application called "SiSandra".  The Snort doc offers no clue as to the rationale for generating the alert, as best I can tell.

Any knowledge about what trips "(spp_frag2) Oversized fragment" appreciated.

Thanks,
Charles E. Finney
Deere & Company





More information about the Snort-users mailing list