No subject


Thu Nov 23 16:36:19 EST 2017


traffic is an NXDomain response from a valid root server.  It's being
caused by doing reverse lookups on spam email.

=20

However, the question remains, is there any way I can fine tune the
frag3 preprocessor to avoid these false positives?

=20

Drew Burchett

United Systems & Software

http://www.united-systems.com

Phone:  (270)527-3293

Fax:     (270)527-3132

=20

  _____=20=20

From: snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] On Behalf Of Drew
Burchett
Sent: Monday, May 22, 2006 11:18 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] frag3 alerts

=20

I am seeing a lot of frag3 Fragmentation overlap alerts with my DNS
server as the destination and a source address that reverses to a root
server.  When examining the packets, the traffic seems to be valid DNS
traffic, although it has nothing to do with any domains that I host.  Is
this some sort of attack, or is it valid traffic that is throwing false
positives?  If it is a false positive, is there any way I can fine-tune
the frag3 preprocessor to avoid these?

=20

Drew Burchett

United Systems & Software

http://www.united-systems.com

Phone:  (270)527-3293

Fax:     (270)527-3132

=20


--=20

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.=20


--=20
This message has been scanned for viruses and=20
dangerous content by MailScanner <http://www.mailscanner.info/> , and is

believed to be clean.=20

--
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is =
for the sole use of the intended recipient(s) and may contain confidential =
and privileged information. Any unauthorized review, use, disclosure or dis=
tribution is prohibited. If you are not the intended recipient, please cont=
act the sender by reply e-mail and destroy all copies of the original messa=
ge.

--=20
This message has been scanned for viruses and dangerous content by MailScan=
ner and is believed to be clean.


------_=_NextPart_001_01C67DCD.5500AA74
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40">

<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]-->
<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
	{font-family:Verdana;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;}
p.MsoPlainText, li.MsoPlainText, div.MsoPlainText
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:10.0pt;
	font-family:"Courier New";}
p.MsoAutoSig, li.MsoAutoSig, div.MsoAutoSig
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
span.EmailStyle18
	{mso-style-type:personal;
	font-family:Arial;
	color:windowtext;}
span.EmailStyle19
	{mso-style-type:personal-reply;
	font-family:Arial;
	color:navy;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
	{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext=3D"edit">
  <o:idmap v:ext=3D"edit" data=3D"1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'>From examining the packet capture, I&#=
8217;ve
determined that the “offending” traffic is an NXDomain response
from a valid root server.  It’s being caused by doing reverse lo=
okups on
spam email.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'>However, the question remains, is there
any way I can fine tune the frag3 preprocessor to avoid these false positiv=
es?<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>

<div>

<p class=3DMsoAutoSig><font size=3D2 color=3Dnavy face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:navy'>Drew Burchett<o:p=
></o:p></span></font></p>

<p class=3DMsoAutoSig><font size=3D2 color=3Dnavy face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:navy'>United Systems &a=
mp;
Software<o:p></o:p></span></font></p>

<p class=3DMsoAutoSig><font size=3D2 color=3Dnavy face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:navy'>http://www.united=
-systems.com<o:p></o:p></span></font></p>

<p class=3DMsoAutoSig><font size=3D2 color=3Dnavy face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:navy'>Phone:  (270=
)527-3293<o:p></o:p></span></font></p>

<p class=3DMsoPlainText><font size=3D2 color=3Dnavy face=3DVerdana><span
style=3D'font-size:10.0pt;font-family:Verdana;color:navy'>Fax:  &=
nbsp;  (270)527-3132<o:p></o:p></span></font></p>

</div>

<p class=3DMsoNormal><font size=3D2 color=3Dnavy face=3DArial><span style=
=3D'font-size:
10.0pt;font-family:Arial;color:navy'><o:p> </o:p></span></font></p>

<div style=3D'border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in =
4.0pt'>

<div>

<div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'><font siz=
e=3D3
face=3D"Times New Roman"><span style=3D'font-size:12.0pt'>

<hr size=3D2 width=3D"100%" align=3Dcenter tabindex=3D-1>

</span></font></div>

<p class=3DMsoNormal><b><font size=3D2 face=3DTahoma><span style=3D'font-si=
ze:10.0pt;
font-family:Tahoma;font-weight:bold'>From:</span></font></b><font size=3D2
face=3DTahoma><span style=3D'font-size:10.0pt;font-family:Tahoma'>
snort-users-admin at lists.sourceforge.net
[mailto:snort-users-admin at lists.sourceforge.net] <b><span style=3D'font-wei=
ght:
bold'>On Behalf Of </span></b>Drew Burchett<br>
<b><span style=3D'font-weight:bold'>Sent:</span></b> Monday, May 22, 2006 1=
1:18
AM<br>
<b><span style=3D'font-weight:bold'>To:</span></b> snort-users at ...3054...=
forge.net<br>
<b><span style=3D'font-weight:bold'>Subject:</span></b> [Snort-users] frag3
alerts</span></font><o:p></o:p></p>

</div>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span style=3D=
'font-size:
12.0pt'><o:p> </o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span style=3D'font-size:1=
0.0pt;
font-family:Arial'>I am seeing a lot of frag3 Fragmentation overlap alerts =
with
my DNS server as the destination and a source address that reverses to a ro=
ot
server.  When examining the packets, the traffic seems to be valid DNS
traffic, although it has nothing to do with any domains that I host.  =
Is
this some sort of attack, or is it valid traffic that is throwing false
positives?  If it is a false positive, is there any way I can fine-tune
the frag3 preprocessor to avoid these?<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span style=3D'font-size:1=
0.0pt;
font-family:Arial'><o:p> </o:p></span></font></p>

<p class=3DMsoAutoSig><font size=3D2 face=3DVerdana><span style=3D'font-siz=
e:10.0pt;
font-family:Verdana'>Drew Burchett<o:p></o:p></span></font></p>

<p class=3DMsoAutoSig><font size=3D2 face=3DVerdana><span style=3D'font-siz=
e:10.0pt;
font-family:Verdana'>United Systems & Software<o:p></o:p></span></font>=
</p>

<p class=3DMsoAutoSig><font size=3D2 face=3DVerdana><span style=3D'font-siz=
e:10.0pt;
font-family:Verdana'>http://www.united-systems.com<o:p></o:p></span></font>=
</p>

<p class=3DMsoAutoSig><font size=3D2 face=3DVerdana><span style=3D'font-siz=
e:10.0pt;
font-family:Verdana'>Phone:  (270)527-3293<o:p></o:p></span></font></p>

<p class=3DMsoAutoSig><font size=3D2 face=3DVerdana><span style=3D'font-siz=
e:10.0pt;
font-family:Verdana'>Fax:     (270)527-3132<o:p></o:p><=
/span></font></p>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span style=3D=
'font-size:
12.0pt'><o:p> </o:p></span></font></p>

</div>

</div>

</body>

<br>--
<p>CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, =
is for the sole use of the intended recipient(s) and may contain confidenti=
al and privileged information. Any unauthorized review, use, disclosure or =
distribution is prohibited. If you are not the intended recipient, please c=
ontact the sender by reply e-mail and destroy all copies of the original me=
ssage.
</p>
<br />--=20
<br />This message has been scanned for viruses and
<br />dangerous content by
<a href=3D"http://www.mailscanner.info/"></b><b>MailScanner</a>, and is
<br />believed to be clean.
<br>--
<p>CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, =
is for the sole use of the intended recipient(s) and may contain confidenti=
al and privileged information. Any unauthorized review, use, disclosure or =
distribution is prohibited. If you are not the intended recipient, please c=
ontact the sender by reply e-mail and destroy all copies of the original me=
ssage.
</p>
<br />--=20
<br />This message has been scanned for viruses and
<br />dangerous content by
<a href=3D"http://www.mailscanner.info/"><b>MailScanner</b></a>, and is
<br />believed to be clean.
</html>

------_=_NextPart_001_01C67DCD.5500AA74--




More information about the Snort-users mailing list