Hi All, I found a pb with firestorm, view full syslog : (and join tcpdump file) Apr 4 15:54:07 xxx 11 firestorm-nids053d: 1049464447.564547 alert=ipfrag sig=8.0 priority=5 src=äù¿¿:÷q(\Sr(` dst=` proto=6 : Fragment arrived after timeout Apr 4 15:54:07 xxx 134607744 firestorm-nids053d Apr 4 15:54:07 xxx 134607744 in free(): Apr 4 15:54:07 xxx 134607744 warning: Apr 4 15:54:07 xxx 134607744 chunk is already free Apr 4 15:54:07 xxx 134607744 firestorm-nids053d Apr 4 15:54:07 xxx 134607744 in free(): Apr 4 15:54:07 xxx 134607744 warning: Apr 4 15:54:07 xxx 134607744 chunk is already free Apr 4 15:54:07 xxx 134607744 firestorm-nids053d Apr 4 15:54:07 xxx 134607744 in free(): Apr 4 15:54:07 xxx 134607744 warning: Apr 4 15:54:07 xxx 134607744 chunk is already free Apr 4 15:54:07 xxx 15 firestorm-nids053d: Running the ipfrag evictor! Apr 4 15:54:07 xxx 11 firestorm-nids053d: 1049464447.564608 alert=ipfrag sig=7.0 priority=5 src= dst=¤ù¿¿ÊM(Lu(?õ proto=6 : Too many fragments Apr 4 15:54:07 xxx 15 firestorm-nids053d: 0x8fdf540: got a fragment (20/16404) Apr 4 15:54:07 xxx 15 firestorm-nids053d: Running the ipfrag evictor! Apr 4 15:54:07 xxx 11 firestorm-nids053d: 1049464447.564635 alert=ipfrag sig=7.0 priority=5 src= dst=s proto=6 : Too many fragments Apr 4 15:54:07 xxx 11 firestorm-nids053d: 1049464447.564635 alert=ipfrag sig=1.0 priority=5 src=Ôù¿¿ Apr 4 15:54:07 xxx 134607744 `Or(cäù¿¿ Apr 4 15:54:07 xxx 134607744 àMr(cst= proto=6 : Teardrop (yes my syslog patch for firestorm is bugged on frag packet) A pb is : "in free(): warning chunk is already free" ... but I no said where ... (frag function ?) I use firestorm snapshot of 25 Mar 2003, and join tcpdump file, and ipsrc and this file does not have any other trafic ! info: snort and prelude not alert with this frag packet ..... Regard PS: Sorry for my bad speak English
Attachment:
teardrop-frag.tcpdump.gz
Description: GNU Zip compressed data