[Snort-users] frag3 alerts

This is a discussion on [Snort-users] frag3 alerts within the Snort forums, part of the System Security and Security Related category; This is a multi-part message in MIME format. ------_=_NextPart_001_01C67DBB.51A22518 Content-Type: text/plain; charset="us-ascii&...


Go Back   Usenet Forums > System Security and Security Related > Snort

Reload this Page [Snort-users] frag3 alerts

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 05-22-2006
Drew Burchett
 
Posts: n/a
Default [Snort-users] frag3 alerts
This is a multi-part message in MIME format.

------_=_NextPart_001_01C67DBB.51A22518
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

I am seeing a lot of frag3 Fragmentation overlap alerts with my DNS=0A=
server as the destination and a source address that reverses to a root=0A=
server. When examining the packets, the traffic seems to be valid DNS=0A=
traffic, although it has nothing to do with any domains that I host. Is=0A=
this some sort of attack, or is it valid traffic that is throwing false=0A=
positives? If it is a false positive, is there any way I can fine-tune=0A=
the frag3 preprocessor to avoid these?=0A=
=0A=
=20=0A=
=0A=
Drew Burchett=0A=
=0A=
United Systems & Software=0A=
=0A=
http://www.united-systems.com=0A=
=0A=
Phone: (270)527-3293=0A=
=0A=
Fax: (270)527-3132=0A=
=0A=
=20=0A=
=0A=
=0A=
--=0A=
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is =
for the sole use of the intended recipient(s) and may contain confidential =
and privileged information. Any unauthorized review, use, disclosure or dis=
tribution is prohibited. If you are not the intended recipient, please cont=
act the sender by reply e-mail and destroy all copies of the original messa=
ge.=0A=
=0A=
--=20=0A=
This message has been scanned for viruses and dangerous content by MailScan=
ner and is believed to be clean.=0A=
=0A=

------_=_NextPart_001_01C67DBB.51A22518
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40">=0A=
=0A=
<head>=0A=
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Dus-ascii">=
=0A=
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">=0A=
<style>=0A=
<!--=0A=
/* Font Definitions */=0A=
@font-face=0A=
{font-family:Verdana;=0A=
panose-1:2 11 6 4 3 5 4 4 2 4;}=0A=
/* Style Definitions */=0A=
p.MsoNormal, li.MsoNormal, div.MsoNormal=0A=
{margin:0in;=0A=
margin-bottom:.0001pt;=0A=
font-size:12.0pt;=0A=
font-family:"Times New Roman";}=0A=
a:link, span.MsoHyperlink=0A=
{color:blue;=0A=
text-decoration:underline;}=0A=
a:visited, span.MsoHyperlinkFollowed=0A=
{color:purple;=0A=
text-decoration:underline;}=0A=
p.MsoAutoSig, li.MsoAutoSig, div.MsoAutoSig=0A=
{margin:0in;=0A=
margin-bottom:.0001pt;=0A=
font-size:12.0pt;=0A=
font-family:"Times New Roman";}=0A=
span.EmailStyle17=0A=
{mso-style-type:personal-compose;=0A=
font-family:Arial;=0A=
color:windowtext;}=0A=
@page Section1=0A=
{size:8.5in 11.0in;=0A=
margin:1.0in 1.25in 1.0in 1.25in;}=0A=
div.Section1=0A=
{page:Section1;}=0A=
-->=0A=
</style>=0A=
<!--[if gte mso 9]><xml>=0A=
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />=0A=
</xml><![endif]--><!--[if gte mso 9]><xml>=0A=
<o:shapelayout v:ext=3D"edit">=0A=
<o:idmap v:ext=3D"edit" data=3D"1" />=0A=
</o:shapelayout></xml><![endif]-->=0A=
</head>=0A=
=0A=
<body lang=3DEN-US link=3Dblue vlink=3Dpurple>=0A=
=0A=
<div class=3DSection1>=0A=
=0A=
<p class=3DMsoNormal><font size=3D2 face=3DArial><span style=3D'font-size:1=
0.0pt;=0A=
font-family:Arial'>I am seeing a lot of frag3 Fragmentation overlap alerts =
with=0A=
my DNS server as the destination and a source address that reverses to a ro=
ot=0A=
server.&nbsp; When examining the packets, the traffic seems to be valid DNS=
traffic,=0A=
although it has nothing to do with any domains that I host.&nbsp; Is this s=
ome sort=0A=
of attack, or is it valid traffic that is throwing false positives?&nbsp; I=
f it is a=0A=
false positive, is there any way I can fine-tune the frag3 preprocessor to=
=0A=
avoid these?<o:p></o:p></span></font></p>=0A=
=0A=
<p class=3DMsoNormal><font size=3D2 face=3DArial><span style=3D'font-size:1=
0.0pt;=0A=
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>=0A=
=0A=
<p class=3DMsoAutoSig><font size=3D2 face=3DVerdana><span style=3D'font-siz=
e:10.0pt;=0A=
font-family:Verdana'>Drew Burchett<o:p></o:p></span></font></p>=0A=
=0A=
<p class=3DMsoAutoSig><font size=3D2 face=3DVerdana><span style=3D'font-siz=
e:10.0pt;=0A=
font-family:Verdana'>United Systems &amp; Software<o:p></o:p></span></font>=
</p>=0A=
=0A=
<p class=3DMsoAutoSig><font size=3D2 face=3DVerdana><span style=3D'font-siz=
e:10.0pt;=0A=
font-family:Verdana'>http://www.united-systems.com<o:p></o:p></span></font>=
</p>=0A=
=0A=
<p class=3DMsoAutoSig><font size=3D2 face=3DVerdana><span style=3D'font-siz=
e:10.0pt;=0A=
font-family:Verdana'>Phone:&nbsp; (270)527-3293<o:p></o:p></span></font></p>=
=0A=
=0A=
<p class=3DMsoAutoSig><font size=3D2 face=3DVerdana><span style=3D'font-siz=
e:10.0pt;=0A=
font-family:Verdana'>Fax:&nbsp;&nbsp;&nbsp;&nbsp; (270)527-3132<o:p></o:p><=
/span></font></p>=0A=
=0A=
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span style=3D=
'font-size:=0A=
12.0pt'><o:p>&nbsp;</o:p></span></font></p>=0A=
=0A=
</div>=0A=
=0A=
</body>=0A=
=0A=
<br>--=0A=
<p>CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, =
is for the sole use of the intended recipient(s) and may contain confidenti=
al and privileged information. Any unauthorized review, use, disclosure or =
distribution is prohibited. If you are not the intended recipient, please c=
ontact the sender by reply e-mail and destroy all copies of the original me=
ssage.=0A=
</p>=0A=
<br />--=20=0A=
<br />This message has been scanned for viruses and=0A=
<br />dangerous content by=0A=
<a href=3D"http://www.mailscanner.info/"><b>MailScanner</b></a>, and is=0A=
<br />believed to be clean.=0A=
</html>=0A=

------_=_NextPart_001_01C67DBB.51A22518--


-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=...057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users
Reply With Quote
Reply

« Previous Thread | Next Thread »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT +1. The time now is 01:30 PM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0