Snort mailing list archives
Re: Checking for "Frag Offset"
From: Matt Kettler <mkettler () evi-inc com>
Date: Tue, 26 Mar 2002 16:11:32 -0500
I suspect you're confusing two things:1) the "content" rule for snort matches packet data, not headers, so if this text was in the header, a content: rule won't catch it anyway.
2) The literal text "Frag Offset" text should not be in the headers of fragmented packets. That's a human-readable decode of the binary header. They don't contain "port" "tcp" or any other such fluff either. The "Frag Offset" field of an IP header is bits 50 through 63 in the header, but that won't help you much.
I'd use the fragbits:M+ option of a snort rule to detect a fragmented packet (one which has the "More Fragments" bit set)
As for your other question about "don't fragment" use fragbits:D+ see the docs for more detail http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.7 At 03:25 PM 3/26/2002 -0500, Sheahan, Paul (PCLN-NW) wrote:
I am trying to do some testing and analysis on fragmented packets. Looking at the headers of fragmented packets, they always contain "Frag Offset:" in them. So I tried to have Snort alert on packets with content of "Frag Offset" as a test, but no alerts were generated even though many packets with "Frag Offset" in the header had entered the network. Is there another way I can have Snort alert on fragmented packets, such as with the flags: Snort option or something? Thanks! _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Checking for "Frag Offset" Sheahan, Paul (PCLN-NW) (Mar 26)
- <Possible follow-ups>
- Re: Checking for "Frag Offset" Matt Kettler (Mar 26)