[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Fwd: [Snort-devel] snort and fragmentation]

To: firestorm@xxxxxxxxxxxxxxxx
Subject: [Fwd: [Snort-devel] snort and fragmentation]
From: rmkml <rmkml@xxxxxxxxxx>
Date: Thu, 27 Mar 2003 10:56:51 +0100
Delivered-to: mailing list firestorm@scaramanga.co.uk
Mailing-list: contact firestorm-help@scaramanga.co.uk; run by ezmlm
Sender: test@xxxxxxxxxx

Hi Gianni,

join email send snort mailling pb frag ...

Firestorm is very good product on fragmentated packet ...

Regard.

PS: Sorry for my bad speak English.

--- Begin Message ---

To: snort-devel@xxxxxxxxxxxxxxx
Subject: Re: [Snort-devel] snort and fragmentation
From: rmkml <rmkml@xxxxxxxxxx>
Date: Thu, 27 Mar 2003 10:53:19 +0100
References: <3E81BACD.A2CE9DC5@wanadoo.fr>

Hi,

Im receive this morning, new packet fragment ...

and snort not event this !

(firestorm, [other nids] event this ...)

join tcpdump file with fragment ...

Why snort not event bad fragmentation ?

but snort view frag :
==========================================
Fragmentation Stats:
Fragmented IP Packets: 1          (0.000%)
    Fragment Trackers: 1
   Rebuilt IP Packets: 0
   Frag elements used: 0
Discarded(incomplete): 0
   Discarded(timeout): 0
  Frag2 memory faults: 0
==========================================

and same snort conf yesterday ...
and use snort version 191b234.

Regard.



rmkml wrote:

> Hi All,
>
> I receive this packet this morning : (join tcpdump file)
>
> but snort not event frag packet,
> (On this trace, not packet frag/end ..., and is strange snort event this
> ?)
>
> why ?
>
> Only this traffic on file, not other traffic with net 192.168.123.x.
> (ok my box have edonkey client (p2p) linux on tcp port 4662)
>
> but snort view frag packet :
> ========================
> Fragmentation Stats:
> Fragmented IP Packets: 2          (0.000%)
>     Fragment Trackers: 1
>    Rebuilt IP Packets: 0
>    Frag elements used: 0
> Discarded(incomplete): 0
>    Discarded(timeout): 0
>   Frag2 memory faults: 0
> =========================
>
> Other nids Firestorm event this ...
>
> I use snort 191b233.
>
> Regard.
>
> Conf snort frag :
>
> No arguments to frag2 directive, setting defaults to:
>     Fragment timeout: 60 seconds
>     Fragment memory cap: 4194304 bytes
>     Fragment min_ttl:   0
>     Fragment ttl_limit: 5
>     Fragment Problems: 0
>
> PS: Sorry for my bad speak English
>
>   ------------------------------------------------------------------------
>                       Name: frag.tcpdump.gz
>    frag.tcpdump.gz    Type: application/x-gzip
>                   Encoding: base64

Attachment: frag2.tcpdump.gz
Description: GNU Zip compressed data

--- End Message ---

Prev by Date: Re: Firestorm and Fragmentation
Next by Date: Re: nmap ping and firestorm
Previous by thread: Firestorm and Fragmentation
Next by thread: firestorm: add pcap_stat
Index(es):
- Date
- Thread