Snort mailing list archives
Re: bad frag bits
From: Brian <bmc () snort org>
Date: Tue, 25 Nov 2003 11:05:31 -0500
On Mon, Nov 24, 2003 at 10:00:39PM +0100, Samuel C. Adams wrote:
alert ip $EXTERNAL_NET any -> $HOME_NET any (msg:"BAD-TRAFFIC bad frag bits"; fragbits:MD; sid:1322; classtype:misc-activity; rev:5;) So... I believe this signature generates alerts when packets with both the don't fragment and more fragments bits are set. Anyone see this alert much?
Yep. And it shows up quite a bit on big NFS networks. This rule will be disabled by default the next time I do a rules commit. -b ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- bad frag bits Samuel C. Adams (Nov 25)
- Re: bad frag bits Brian (Nov 25)
- snort inline && current rules. /dev/null (Nov 25)
- Re: snort inline && current rules. Matt Kettler (Nov 25)
- Re: snort inline && current rules. /dev/null (Nov 25)
- Re: snort inline && current rules. Jeff Nathan (Nov 25)
- Re: snort inline && current rules. Matt Kettler (Nov 25)
- Re: snort inline && current rules. /dev/null (Nov 25)
- snort inline && current rules. /dev/null (Nov 25)
- Re: bad frag bits Brian (Nov 25)
- Re: snort inline && current rules. Josh Berry (Nov 25)
- snort inline behavior /dev/null (Nov 25)
- Re: snort inline behavior /dev/null (Nov 26)
- Re: snort inline behavior Stephan Scholz (Nov 26)