Snort mailing list archives
bad frag bits
From: scadams () t-online de (Samuel C. Adams)
Date: Mon, 24 Nov 2003 22:00:39 +0100
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC bad frag bits"; fragbits:MD; sid:1322; classtype:misc-activity; rev:5;) So... I believe this signature generates alerts when packets with both the don't fragment and more fragments bits are set. Anyone see this alert much? I'm seeing it primarily with udp packets coming from audio/video streaming sites (i.e. Realnetworks, Kontiki, Shockwave). Usually these udp packets are fairly large and it's possible they have to travel over a link with low MTU at some point. Is it possible to fragment packets if the don't fragment bit is set? Are there routers out there that do that? I thought routers were supposed to send ICMP code 3 type 4 messages (Fragmentation Needed and Don't Fragment was Set) if they are forced to deal with packets out that are too large. Is that not always the case? ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- bad frag bits Samuel C. Adams (Nov 25)
- Re: bad frag bits Brian (Nov 25)
- snort inline && current rules. /dev/null (Nov 25)
- Re: snort inline && current rules. Matt Kettler (Nov 25)
- Re: snort inline && current rules. /dev/null (Nov 25)
- Re: snort inline && current rules. Jeff Nathan (Nov 25)
- Re: snort inline && current rules. Matt Kettler (Nov 25)
- Re: snort inline && current rules. /dev/null (Nov 25)
- snort inline && current rules. /dev/null (Nov 25)
- Re: bad frag bits Brian (Nov 25)
- Re: snort inline && current rules. Josh Berry (Nov 25)
- snort inline behavior /dev/null (Nov 25)
- Re: snort inline behavior /dev/null (Nov 26)