[Snort-users] (no subject)
Finney Charles E
FinneyCharlesE at ...2134...
Mon Feb 16 09:23:01 EST 2004
I understand the explanation. Sort of. However:
1. As icmp echo replies, I have the expectation that the replies contain the echo request data. The pre-processor did not alert on any echo requests, so why replies? BTW, the MTU is 1500 end-to-end, so the fragmentation was done by the src host in each direction, not intervining routers.
2. Given a "Total Length" field at ip[2:2] with a max value of 65535, what transpires to give > 65535? If the src does not support > 65507 the an error is returned and no data is sent. I have no understanding of what will actually transpire if the src can do > 65507 and the dst cannot.
3. What am I missing in interpretation of the packet that points to trouble as a function of offset 35520? My trusty calculator shows 35520 div 8 = 4440, looks like all the numbers comply with the rfcs. Yes/No? Or are you simply saying crafted ping traffic with these kinds of sizes are trouble?
4. No, we haven't upgraded anywhere. A lab project for sure - typical in up to our eyeballs problem.
>Cc: snort-users at lists.sourceforge.net
>From: Martin Roesch <roesch at ...1935...>
>Subject: Re: [Snort-users] (spp_frag2) Oversized fragment, probable DoS
>Date: Fri, 13 Feb 2004 20:49:53 -0500
>To: "Finney Charles E" <FinneyCharlesE at ...2134...>
>That alert is generated if the defragger tries to reassemble a packet=20
>that has a final size greater than 65535 bytes, the largest allowable=20
>Is that offset 35520 *bytes* into the packet? If so that looks like a=20=
>problem. What platform are you running on? Have you tried upgrading=20
>On Feb 13, 2004, at 1:49 PM, Finney Charles E wrote:
>> Received the following running Snort ver 2.0.0: (spp_frag2) Oversized=20=
>> fragment, probable DoS
>> The alerts logged are all of the form:
>> 220.127.116.11 > 18.104.22.168: icmp (frag 30970:1480 at ...11202...+)
>> 0x0000 4500 05dc 78fa 3158 7e01 f3d1 0102 0304 =
>> 0x0010 0506 0708 efbe adde efbe adde efbe adde =20
>> 0x0020 efbe adde efbe adde efbe adde efbe adde =20
>> 0x05d0 efbe adde efbe adde efbe adde ............
>> Fully half of the 2800 alerts were for offset 35520. The traffic=20
>> appears to have been stimulated by an application called "SiSandra". =20=
More information about the Snort-users