[Snort-users] (no subject)
This is a discussion on [Snort-users] (no subject) within the Snort forums, part of the System Security and Security Related category; I understand the explanation. Sort of. However: 1. As icmp echo replies, I have the expectation that the replies contain = ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
02-16-2004
|
|||
|
|||
[Snort-users] (no subject)
I understand the explanation. Sort of. However:
1. As icmp echo replies, I have the expectation that the replies contain = the echo request data. The pre-processor did not alert on any echo = requests, so why replies? BTW, the MTU is 1500 end-to-end, so the = fragmentation was done by the src host in each direction, not = intervining routers. 2. Given a "Total Length" field at ip[2:2] with a max value of 65535, = what transpires to give > 65535? If the src does not support > 65507 = the an error is returned and no data is sent. I have no understanding = of what will actually transpire if the src can do > 65507 and the dst = cannot. 3. What am I missing in interpretation of the packet that points to = trouble as a function of offset 35520? My trusty calculator shows 35520 = div 8 =3D 4440, looks like all the numbers comply with the rfcs. = Yes/No? Or are you simply saying crafted ping traffic with these kinds = of sizes are trouble? 4. No, we haven't upgraded anywhere. A lab project for sure - typical = in up to our eyeballs problem. Thanks, Charlie >Cc: snort-users@lists.sourceforge.net >From: Martin Roesch <roesch@sourcefire.com> >Subject: Re: [Snort-users] (spp_frag2) Oversized fragment, probable DoS >Date: Fri, 13 Feb 2004 20:49:53 -0500 >To: "Finney Charles E" <FinneyCharlesE@JohnDeere.com> > >Hi Charles, > >That alert is generated if the defragger tries to reassemble a = packet=3D20 >that has a final size greater than 65535 bytes, the largest = allowable=3D20 >IP packet. >Is that offset 35520 *bytes* into the packet? If so that looks like = a=3D20=3D > >problem. What platform are you running on? Have you tried = upgrading=3D20 >to 2.0.6? > > -Marty > >On Feb 13, 2004, at 1:49 PM, Finney Charles E wrote: > >> Received the following running Snort ver 2.0.0: (spp_frag2) = Oversized=3D20=3D > >> fragment, probable DoS >> >> The alerts logged are all of the form: >> 1.2.3.4 > 5.6.7.8: icmp (frag 30970:1480@35520+) >> 0x0000 4500 05dc 78fa 3158 7e01 f3d1 0102 0304 =3D E...x.1X~....+`F >> 0x0010 0506 0708 efbe adde efbe adde efbe adde =3D20 >> .5.U............ >> 0x0020 efbe adde efbe adde efbe adde efbe adde =3D20 >> ................ >> ... >> 0x05d0 efbe adde efbe adde efbe adde ............ >> >> Fully half of the 2800 alerts were for offset 35520. The = traffic=3D20 >> appears to have been stimulated by an application called "SiSandra". = =3D20=3D ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
Linear Mode
