Snort mailing list archives
Re: Missing port number in alert file.
From: Matt Kettler <mkettler () evi-inc com>
Date: Thu, 15 Aug 2002 11:56:24 -0400
Teardrop attacks aren't port dependent. It's a pure IP layer attack involving overlapping fragments. The spp_frag2 that detected the error isn't even aware that tcp or udp exist, so the idea of port numbers don't make sense to it. The message output layers identified it as a UDP packet, but really, since it's a teardrop packet it doesn't matter what port it's to, it's bad.
in this case one of a few things might cause this message:1) 100.12.12.12 or one of the routers in the path to it has a *very* buggy IP stack, i.e. it can't properly fragment packets. 2) you're running a very old, buggy version of snort (pre 1.8) which has bugs in the frag preprocessor. (some very old versions of snort have buggy stream/frag handling) 3) this packet is part of an attempt to evade IDS detection, via fragroute or similar tools.
4) this is a lame attempt perform a denial of service attack on 192.168.1.2 At 01:30 PM 8/15/2002 +0800, SW wrote:
I dont' know why there is no port number shown in the alert file when there is a Frag attach, ( for example a Teardrop attack). Here is a sample alert msg: [**] [113:2:1] spp_frag2: Teardrop attack [**] 08/13/02-02:02:45.980187 100.12.12.12 -> 192.168.1.2 UDP TTL:64 TOS:0x0 ID:242 IpLen:20 DgmLen:24 Frag Offset: 0x0003 Frag Size: 0x0001 Port number is missing in the second line of this msg. Is this a bug of Snort? Thanks Sam ------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Flex Resp Problems Owen Creger (Aug 14)
- Missing port number in alert file. SW (Aug 14)
- Re: Missing port number in alert file. Matt Kettler (Aug 15)
- Re: Flex Resp Problems Jeff Nathan (Aug 15)
- Missing port number in alert file. SW (Aug 14)