[Snort-users] frag3: Fragmentation overlap

Martin Roesch roesch at ...1935...
Mon Sep 25 14:30:43 EDT 2006

Hash: SHA1

Hey Paul,

It means that there are IP fragments on the network with offsets that  
fall within the data portion of another fragment.  It could be  
indicative of someone trying to evade your IDS by knowing how a  
target will explicitly put its fragments back together in the event  
of overlaps and guessing that the IDS isn't going to do it that way.   
This is a classic evasion scenario as described by Ptacek & Newsham[1].

It's either that, or (way more likely) a misconfigured NFS server or  
something of that ilk.  :)


[1] http://www.snort.org/docs/idspaper/

On Sep 25, 2006, at 1:02 PM, Paul Schmehl wrote:

> Can anyone explain exactly what this alert means?  (Other than the  
> fact that the packets are being fragmented and there is overlap?)   
> Is it the prelude to an attack?  A misconfigured host?
> Paul Schmehl (pauls at ...6838...)
> Adjunct Information Security Officer
> The University of Texas at Dallas
> http://www.utdallas.edu/ir/security/
> ---------------------------------------------------------------------- 
> ---
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to  
> share your
> opinions on IT & business topics through brief surveys -- and earn  
> cash
> http://www.techsay.com/default.php? 
> page=join.php&p=sourceforge&CID=DEVDEV________________________________ 
> _______________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

- --
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Security for the Real World - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org

Version: GnuPG v1.4.1 (Darwin)


More information about the Snort-users mailing list