[Snort-users] Snort Rules Help
mkettler at ...4108...
Fri Jul 9 12:00:01 EDT 2004
At 12:26 PM 7/9/2004, Cunningham, Andy wrote:
>pass udp $SRC any <> $DEST $PORT (classtype:ignore)
>alert ip any any -> any any (msg: "Unexpected unclassified traffic";
>classtype: unexpected-traffic; )
>These rules work fine for most of the traffic, but when I get a fragmented
>UDP packet come through, the fragment causes the altert to be generated.
>I've tried adding a fragoffset:0 into the rule to only altert if it's the
>first fragment, but it doesn't seem to help.
>Can anyone suggest what I might be doing wrong?
No I can't.. the behavior you are saw the first time around is pretty much
as-expected, since the fragments are IP packets, not UDP packets (they have
no UDP header in them)
However, I would have expected that adding fragoffset:0 to the alert would
More information about the Snort-users