Snort mailing list archives

Previous By Date Next
Previous By Thread Next

(spp_frag2) Oversized fragment, probable DoS

From: "Finney Charles E" <FinneyCharlesE () JohnDeere com>
Date: Fri, 13 Feb 2004 12:49:09 -0600
Received the following running Snort ver 2.0.0: (spp_frag2) Oversized fragment, probable DoS 

The alerts logged are all of the form:
1.2.3.4 > 5.6.7.8: icmp (frag 30970:1480@35520+)
0x0000   4500 05dc 78fa 3158 7e01 f3d1 0102 0304       E...x.1X~....+`F
0x0010   0506 0708 efbe adde efbe adde efbe adde        .5.U............
0x0020   efbe adde efbe adde efbe adde efbe adde        ................
...
0x05d0   efbe adde efbe adde efbe adde                  ............

Fully half of the 2800 alerts were for offset 35520.  The traffic appears to have been stimulated by an application 
called "SiSandra".  The Snort doc offers no clue as to the rationale for generating the alert, as best I can tell.

Any knowledge about what trips "(spp_frag2) Oversized fragment" appreciated.

Thanks,
Charles E. Finney
Deere & Company



-------------------------------------------------------
SF.Net is sponsored by: Speed Start Your Linux Apps Now.
Build and deploy apps & Web services for Linux with
a free DVD software kit from IBM. Click Now!
http://ads.osdn.com/?ad_id56&alloc_id438&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: