Snort and fragmentation

["Hudak, Tyler" <Tyler.Hudak () roadway com>]

I'm trying to write a rule to detect an UDP packet that I am seeing that is
the first fragment in a fragment train.  I have the rule written, but it
will not detect the packet unless I use IP as the protocol and not UDP.  The
rule is below.

alert ip 67.2.0.0/16 any -> $HOME_NET any (msg:"checking for my frag";
fragbits: M; fragoffset: 0;)

Is this because Snort looks at fragmented packets as IP packets and not the
protocol that fragment is for?

Tyler