[Snort-users] (spp_frag2) Oversized fragment, probable DoS

Martin Roesch roesch at ...1935...
Fri Feb 13 17:53:01 EST 2004


Hi Charles,

That alert is generated if the defragger tries to reassemble a packet 
that has a final size greater than 65535 bytes, the largest allowable 
IP packet.

Is that offset 35520 *bytes* into the packet?  If so that looks like a 
problem.  What platform are you running on?  Have you tried upgrading 
to 2.0.6?

	-Marty

On Feb 13, 2004, at 1:49 PM, Finney Charles E wrote:

> Received the following running Snort ver 2.0.0: (spp_frag2) Oversized 
> fragment, probable DoS
>
> The alerts logged are all of the form:
> 1.2.3.4 > 5.6.7.8: icmp (frag 30970:1480 at ...11202...+)
> 0x0000   4500 05dc 78fa 3158 7e01 f3d1 0102 0304       E...x.1X~....+`F
> 0x0010   0506 0708 efbe adde efbe adde efbe adde        
> .5.U............
> 0x0020   efbe adde efbe adde efbe adde efbe adde        
> ................
> ...
> 0x05d0   efbe adde efbe adde efbe adde                  ............
>
> Fully half of the 2800 alerts were for offset 35520.  The traffic 
> appears to have been stimulated by an application called "SiSandra".  
> The Snort doc offers no clue as to the rationale for generating the 
> alert, as best I can tell.
>
> Any knowledge about what trips "(spp_frag2) Oversized fragment" 
> appreciated.
>
> Thanks,
> Charles E. Finney
> Deere & Company
>
>
>
> -------------------------------------------------------
> SF.Net is sponsored by: Speed Start Your Linux Apps Now.
> Build and deploy apps & Web services for Linux with
> a free DVD software kit from IBM. Click Now!
> http://ads.osdn.com/?ad_id56&alloc_id438&op=click
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
>
--
Martin Roesch - Founder/CTO, Sourcefire Inc. - (410)290-1616
Sourcefire: Intelligent Security Monitoring
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-users mailing list