[Snort-users] (no subject)

Finney Charles E FinneyCharlesE at ...2134...
Mon Feb 16 09:23:01 EST 2004


I understand the explanation.  Sort of.  However:
1. As icmp echo replies, I have the expectation that the replies contain the echo request data.  The pre-processor did not alert on any echo requests, so why replies?  BTW, the MTU is 1500 end-to-end, so the fragmentation was done by the src host in each direction, not intervining routers.

2. Given a "Total Length" field at ip[2:2] with a max value of 65535, what transpires to give > 65535?  If the src does not support > 65507 the an error is returned and no data is sent.  I have no understanding of what will actually transpire if the src can do > 65507 and the dst cannot.

3. What am I missing in interpretation of the packet that points to trouble as a function of offset 35520?  My trusty calculator shows 35520 div 8 = 4440, looks like all the numbers comply with the rfcs.  Yes/No?  Or are you simply saying crafted ping traffic with these kinds of sizes are trouble?

4. No, we haven't upgraded anywhere.  A lab project for sure - typical in up to our eyeballs problem.

Thanks,
Charlie

>Cc: snort-users at lists.sourceforge.net
>From: Martin Roesch <roesch at ...1935...>
>Subject: Re: [Snort-users] (spp_frag2) Oversized fragment, probable DoS
>Date: Fri, 13 Feb 2004 20:49:53 -0500
>To: "Finney Charles E" <FinneyCharlesE at ...2134...>
>
>Hi Charles,
>
>That alert is generated if the defragger tries to reassemble a packet=20
>that has a final size greater than 65535 bytes, the largest allowable=20
>IP packet.

>Is that offset 35520 *bytes* into the packet?  If so that looks like a=20=
>
>problem.  What platform are you running on?  Have you tried upgrading=20
>to 2.0.6?
>
>	-Marty
>
>On Feb 13, 2004, at 1:49 PM, Finney Charles E wrote:
>
>> Received the following running Snort ver 2.0.0: (spp_frag2) Oversized=20=
>
>> fragment, probable DoS
>>
>> The alerts logged are all of the form:
>> 1.2.3.4 > 5.6.7.8: icmp (frag 30970:1480 at ...11202...+)
>> 0x0000   4500 05dc 78fa 3158 7e01 f3d1 0102 0304       =
E...x.1X~....+`F
>> 0x0010   0506 0708 efbe adde efbe adde efbe adde       =20
>> .5.U............
>> 0x0020   efbe adde efbe adde efbe adde efbe adde       =20
>> ................
>> ...
>> 0x05d0   efbe adde efbe adde efbe adde                  ............
>>
>> Fully half of the 2800 alerts were for offset 35520.  The traffic=20
>> appears to have been stimulated by an application called "SiSandra". =20=





More information about the Snort-users mailing list