RE: [Snort-users] frag3 alerts

permalink · #1 (**permalink**) 05-22-2006

This is a multi-part message in MIME format.

------_=_NextPart_001_01C67DCD.5500AA74
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

From examining the packet capture, I've determined that the "offending"=0A=
traffic is an NXDomain response from a valid root server. It's being=0A=
caused by doing reverse lookups on spam email.=0A=
=0A=
=20=0A=
=0A=
However, the question remains, is there any way I can fine tune the=0A=
frag3 preprocessor to avoid these false positives?=0A=
=0A=
=20=0A=
=0A=
Drew Burchett=0A=
=0A=
United Systems & Software=0A=
=0A=
http://www.united-systems.com=0A=
=0A=
Phone: (270)527-3293=0A=
=0A=
Fax: (270)527-3132=0A=
=0A=
=20=0A=
=0A=
_____=20=20=0A=
=0A=
From: snort-users-admin@lists.sourceforge.net=0A=
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Drew=0A=
Burchett=0A=
Sent: Monday, May 22, 2006 11:18 AM=0A=
To: snort-users@lists.sourceforge.net=0A=
Subject: [Snort-users] frag3 alerts=0A=
=0A=
=20=0A=
=0A=
I am seeing a lot of frag3 Fragmentation overlap alerts with my DNS=0A=
server as the destination and a source address that reverses to a root=0A=
server. When examining the packets, the traffic seems to be valid DNS=0A=
traffic, although it has nothing to do with any domains that I host. Is=0A=
this some sort of attack, or is it valid traffic that is throwing false=0A=
positives? If it is a false positive, is there any way I can fine-tune=0A=
the frag3 preprocessor to avoid these?=0A=
=0A=
=20=0A=
=0A=
Drew Burchett=0A=
=0A=
United Systems & Software=0A=
=0A=
http://www.united-systems.com=0A=
=0A=
Phone: (270)527-3293=0A=
=0A=
Fax: (270)527-3132=0A=
=0A=
=20=0A=
=0A=
=0A=
--=20=0A=
=0A=
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,=0A=
is for the sole use of the intended recipient(s) and may contain=0A=
confidential and privileged information. Any unauthorized review, use,=0A=
disclosure or distribution is prohibited. If you are not the intended=0A=
recipient, please contact the sender by reply e-mail and destroy all=0A=
copies of the original message.=20=0A=
=0A=
=0A=
--=20=0A=
This message has been scanned for viruses and=20=0A=
dangerous content by MailScanner <http://www.mailscanner.info/> , and is=0A=
=0A=
believed to be clean.=20=0A=
=0A=
--=0A=
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is =
for the sole use of the intended recipient(s) and may contain confidential =
and privileged information. Any unauthorized review, use, disclosure or dis=
tribution is prohibited. If you are not the intended recipient, please cont=
act the sender by reply e-mail and destroy all copies of the original messa=
ge.=0A=
=0A=
--=20=0A=
This message has been scanned for viruses and dangerous content by MailScan=
ner and is believed to be clean.=0A=
=0A=

------_=_NextPart_001_01C67DCD.5500AA74
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns=3D"http://www.w3.org/TR/REC-html40">=0A=
=0A=
<head>=0A=
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; charset=3Dus-ascii">=
=0A=
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">=0A=
=0A=
<style>=0A=
=0A=
</style>=0A=
=0A=
</head>=0A=
=0A=
<body lang=3DEN-US link=3Dblue vlink=3Dpurple>=0A=
=0A=
<div class=3DSection1>=0A=
=0A=
From examining the packet capture, I&#=
8217;ve=0A=
determined that the “offending” traffic is an NXDomain response=
=0A=
from a valid root server.  It’s being caused by doing reverse lo=
okups on=0A=
spam email.<o:p></o:p>=0A=
=0A=
<o:p> </o:p>=0A=
=0A=
However, the question remains, is there=
=0A=
any way I can fine tune the frag3 preprocessor to avoid these false positiv=
es?<o:p></o:p>=0A=
=0A=
<o:p> </o:p>=0A=
=0A=
<div>=0A=
=0A=
<span=0A=
style=3D'font-size:10.0pt;font-family:Verdana;color:navy'>Drew Burchett<o:p=
></o:p>=0A=
=0A=
<span=0A=
style=3D'font-size:10.0pt;font-family:Verdana;color:navy'>United Systems &a=
mp;=0A=
Software<o:p></o:p>=0A=
=0A=
<span=0A=
style=3D'font-size:10.0pt;font-family:Verdana;color:navy'>http://www.united=
-systems.com<o:p></o:p>=0A=
=0A=
<span=0A=
style=3D'font-size:10.0pt;font-family:Verdana;color:navy'>Phone:  (270=
)527-3293<o:p></o:p>=0A=
=0A=
<span=0A=
style=3D'font-size:10.0pt;font-family:Verdana;color:navy'>Fax:  &=
nbsp;  (270)527-3132<o:p></o:p>=0A=
=0A=
</div>=0A=
=0A=
<o:p> </o:p>=0A=
=0A=
<div style=3D'border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in =
4.0pt'>=0A=
=0A=
<div>=0A=
=0A=
<div class=3DMsoNormal align=3Dcenter style=3D'text-align:center'>=0A=
=0A=
<hr size=3D2 width=3D"100%" align=3Dcenter tabindex=3D-1>=0A=
=0A=
</div>=0A=
=0A=
From:=0A=
snort-users-admin@lists.sourceforge.net=0A=
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Drew Burchett =0A=
Sent: Monday, May 22, 2006 1=
1:18=0A=
AM =0A=
To: snort-users@lists.source=
forge.net =0A=
Subject: [Snort-users] frag3=
=0A=
alerts<o:p></o:p>=0A=
=0A=
</div>=0A=
=0A=
<o:p> </o:p>=0A=
=0A=
I am seeing a lot of frag3 Fragmentation overlap alerts =
with=0A=
my DNS server as the destination and a source address that reverses to a ro=
ot=0A=
server.  When examining the packets, the traffic seems to be valid DNS=
=0A=
traffic, although it has nothing to do with any domains that I host.  =
Is=0A=
this some sort of attack, or is it valid traffic that is throwing false=0A=
positives?  If it is a false positive, is there any way I can fine-tune=
=0A=
the frag3 preprocessor to avoid these?<o:p></o:p>=0A=
=0A=
<o:p> </o:p>=0A=
=0A=
Drew Burchett<o:p></o:p>=0A=
=0A=
United Systems & Software<o:p></o:p>=
=0A=
=0A=
http://www.united-systems.com<o:p></o:p>=
=0A=
=0A=
Phone:  (270)527-3293<o:p></o:p>=
=0A=
=0A=
Fax:     (270)527-3132<o:p></o:p><=
/span>=0A=
=0A=
<o:p> </o:p>=0A=
=0A=
</div>=0A=
=0A=
</div>=0A=
=0A=
</body>=0A=
=0A=
 --=0A=
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, =
is for the sole use of the intended recipient(s) and may contain confidenti=
al and privileged information. Any unauthorized review, use, disclosure or =
distribution is prohibited. If you are not the intended recipient, please c=
ontact the sender by reply e-mail and destroy all copies of the original me=
ssage.=0A=
=0A=
 --=20=0A=
 This message has been scanned for viruses and=0A=
 dangerous content by=0A=
<a href=3D"http://www.mailscanner.info/">MailScanner</a>, and is=0A=
 believed to be clean.=0A=
 --=0A=
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, =
is for the sole use of the intended recipient(s) and may contain confidenti=
al and privileged information. Any unauthorized review, use, disclosure or =
distribution is prohibited. If you are not the intended recipient, please c=
ontact the sender by reply e-mail and destroy all copies of the original me=
ssage.=0A=
=0A=
 --=20=0A=
 This message has been scanned for viruses and=0A=
 dangerous content by=0A=
<a href=3D"http://www.mailscanner.info/">MailScanner</a>, and is=0A=
 believed to be clean.=0A=
</html>=0A=

------_=_NextPart_001_01C67DCD.5500AA74--

-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=...057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode