[Snort-users] frag3 alerts

Drew Burchett DrewB at ...13821...
Mon May 22 11:36:05 EDT 2006


Well, I'm pretty sure I've got that set right.  The host is running Suse
Linux 10.0 and I've got the configuration set to:

preprocessor frag3_engine: policy linux bind_to 65.241.66.12

That seemed to be how I should have it set according to the chart in
README.frag3.

Drew Burchett
United Systems & Software
http://www.united-systems.com
Phone:  (270)527-3293
Fax:     (270)527-3132


> -----Original Message-----
> From: Joel Esler [mailto:joel.esler at ...1935...]
> Sent: Monday, May 22, 2006 1:31 PM
> To: Drew Burchett
> Cc: snort-users at lists.sourceforge.net; rmkml
> Subject: Re: [Snort-users] frag3 alerts
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Of course.  Frag3 is target based (tuned to the OS) of your machine.
> Therefore you need to create an entry in your snort.conf specifically
> tuned to the OS of your DNS server (and any other host on your
network)
> 
> If you need further help, feel free to email the list or me
personally,
> however, please review the examples in the snort.conf under the frag3
> heading.
> 
> Joel Esler
> 
> Drew Burchett wrote:
> >
> >
> > From examining the packet capture, I?ve determined that the
?offending?
> > traffic is an NXDomain response from a valid root server.  It?s
being
> > caused by doing reverse lookups on spam email.
> >
> >
> >
> > However, the question remains, is there any way I can fine tune the
> > frag3 preprocessor to avoid these false positives?
> >
> >
> >
> > Drew Burchett
> >
> > United Systems & Software
> >
> > http://www.united-systems.com
> >
> > Phone:  (270)527-3293
> >
> > Fax:     (270)527-3132
> >
> >
> >
> > * From: * snort-users-admin at lists.sourceforge.net
> > [mailto:snort-users-admin at lists.sourceforge.net] *On Behalf Of *Drew
> > Burchett
> > *Sent:* Monday, May 22, 2006 11:18 AM
> > *To:* snort-users at lists.sourceforge.net
> > *Subject:* [Snort-users] frag3 alerts
> >
> >
> >
> > I am seeing a lot of frag3 Fragmentation overlap alerts with my DNS
> > server as the destination and a source address that reverses to a
root
> > server.  When examining the packets, the traffic seems to be valid
DNS
> > traffic, although it has nothing to do with any domains that I host.
Is
> > this some sort of attack, or is it valid traffic that is throwing
false
> > positives?  If it is a false positive, is there any way I can
fine-tune
> > the frag3 preprocessor to avoid these?
> >
> >
> >
> > Drew Burchett
> >
> > United Systems & Software
> >
> > http://www.united-systems.com
> >
> > Phone:  (270)527-3293
> >
> > Fax:     (270)527-3132
> >
> >
> >
> >
> > --
> >
> > CONFIDENTIALITY NOTICE: This e-mail message, including any
attachments,
> > is for the sole use of the intended recipient(s) and may contain
> > confidential and privileged information. Any unauthorized review,
use,
> > disclosure or distribution is prohibited. If you are not the
intended
> > recipient, please contact the sender by reply e-mail and destroy all
> > copies of the original message.
> >
> >
> > --
> > This message has been scanned for viruses and
> > dangerous content by *MailScanner* <http://www.mailscanner.info/>*,
and
> is
> > believed to be clean.
> > -- *
> >
> > *CONFIDENTIALITY NOTICE: This e-mail message, including any
attachments,
> > is for the sole use of the intended recipient(s) and may contain
> > confidential and privileged information. Any unauthorized review,
use,
> > disclosure or distribution is prohibited. If you are not the
intended
> > recipient, please contact the sender by reply e-mail and destroy all
> > copies of the original message. *
> >
> > *
> > --
> > This message has been scanned for viruses and
> > dangerous content by *MailScanner* <http://www.mailscanner.info/>,
and
> is
> > believed to be clean. *
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQFEcgNbKbCSyXHckt4RAtp4AKCB1iImdRYQ0U8WX0/eIaPWocRf8gCbBmky
> MeeGd4uQmcmw8Mn+ypfbHjg=
> =cFjW
> -----END PGP SIGNATURE-----


--
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

-- 
This message has been scanned for viruses and dangerous content by MailScanner and is believed to be clean.





More information about the Snort-users mailing list