Snort mailing list archives

Checking for "Frag Offset"

From: "Sheahan, Paul (PCLN-NW)" <Paul.Sheahan () priceline com>
Date: Tue, 26 Mar 2002 15:25:11 -0500


I am trying to do some testing and analysis on fragmented packets. Looking
at the headers of fragmented packets, they always contain "Frag Offset:" in
them. So I tried to have Snort alert on packets with content of "Frag
Offset" as a test, but no alerts were generated even though many packets
with "Frag Offset" in the header had entered the network.

Is there another way I can have Snort alert on fragmented packets, such as
with the flags: Snort option or something?

Thanks!

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Checking for "Frag Offset" Sheahan, Paul (PCLN-NW) (Mar 26)
- <Possible follow-ups>
- Re: Checking for "Frag Offset" Matt Kettler (Mar 26)