Re: Snort Rules Help

[Matt Kettler <mkettler () evi-inc com>]

At 12:26 PM 7/9/2004, Cunningham, Andy wrote:
> pass udp $SRC any <> $DEST $PORT (classtype:ignore)
> alert ip any any -> any any (msg: "Unexpected unclassified traffic"; 
> classtype: unexpected-traffic; )
>
>
> These rules work fine for most of the traffic, but when I get a fragmented 
> UDP packet come through, the fragment causes the altert to be generated.
>
> I've tried adding a fragoffset:0 into the rule to only altert if it's the 
> first fragment, but it doesn't seem to help.
>
> Can anyone suggest what I might be doing wrong?

No I can't.. the behavior you are saw the first time around is pretty much 
as-expected, since the fragments are IP packets, not UDP packets (they have 
no UDP header in them)

However, I would have expected that adding  fragoffset:0 to the alert would 
fix it. 



-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users