Hi All,
I receive this packet this morning : (join tcpdump file)
06:45:43.060280 192.168.123.3 > 81.51.107.127: (frag 0:20@55072) (ttl
243, len 40)
06:47:54.294323 192.168.123.3 > 81.51.107.127: (frag 0:20@55072) (ttl
243, len 40)
06:47:54.305377 192.168.123.3.3138 > 81.51.107.127.4662: R [tcp sum ok]
374411680:374411680(0) win 0 (DF) (ttl 243, id 0, len 40)
Yes my ip pub is 81.51.107.127,
and net 192.168.123 is not me !
Timezone: GMT+1 Paris.
I not have any packet with net 192.168.123 and I not have any other
packet fragmented ...
This important is firestorm view bad traffic ...
Firestorm event this : (VERY GOOD)
Mar 26 06:47:54 crusoe 11 firestorm-nids053c: 1048657674.294327
alert=ipfrag sig=8.0 priority=5 src=cù¿¿¥Âca dst=Dù¿¿fýq~P~cù¿¿¥Âca
proto=6 : Fragment arrived after teout
Yes my patch syslog is bugged !
but firestorm event frag ...
and snort not alarm/log this ! (snort 191b233)
however snort view frag :
========================
Fragmentation Stats:
Fragmented IP Packets: 2 (0.000%)
Fragment Trackers: 1
Rebuilt IP Packets: 0
Frag elements used: 0
Discarded(incomplete): 0
Discarded(timeout): 0
Frag2 memory faults: 0
=========================
and conf :
No arguments to frag2 directive, setting defaults to:
Fragment timeout: 60 seconds
Fragment memory cap: 4194304 bytes
Fragment min_ttl: 0
Fragment ttl_limit: 5
Fragment Problems: 0
and prelude not view and not log ...
Regard.
PS: Sorry for my bad speak English.
Attachment:
frag.tcpdump.gz
Description: GNU Zip compressed data