[Snort-users] Snort Rules Help

Matt Kettler mkettler at ...4108...
Fri Jul 9 12:00:01 EDT 2004


At 12:26 PM 7/9/2004, Cunningham, Andy wrote:
>pass udp $SRC any <> $DEST $PORT (classtype:ignore)
>alert ip any any -> any any (msg: "Unexpected unclassified traffic"; 
>classtype: unexpected-traffic; )
>
>
>These rules work fine for most of the traffic, but when I get a fragmented 
>UDP packet come through, the fragment causes the altert to be generated.
>
>I've tried adding a fragoffset:0 into the rule to only altert if it's the 
>first fragment, but it doesn't seem to help.
>
>Can anyone suggest what I might be doing wrong?

No I can't.. the behavior you are saw the first time around is pretty much 
as-expected, since the fragments are IP packets, not UDP packets (they have 
no UDP header in them)

However, I would have expected that adding  fragoffset:0 to the alert would 
fix it. 





More information about the Snort-users mailing list