NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Snort IDS> 2002-04

From: Joe McAlerney (joeySiliconDefense.com)
Date: Tue Apr 02 2002 - 17:14:33 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

You may be able to configure it to run through fragrouter. I've only
worked with it in the other direction.

http://www.securityfocus.com/data/tools/fragrouter-1.6.tar.gz

-Joe M.

-- 
Joe McAlerney
Silicon Defense: IDS Solutions
"Sheahan, Paul (PCLN-NW)" wrote:
> 
> I want to see if any TCP experts out there know the answer to this.
> 
> In Snort, I have seen many hosts send many fragmented TCP packets (MF bit
> set, no src or dst port) to a server, and occasionally have that server
> respond with a fragmented TCP packet instead of a standard TCP packet.
> Normally with native TCP, all responses from any server are standard-sized,
> unfragmented packets regardless of what type of packets are being received.
> So if a server is receiving fragmented packets from a host or standard
> unfragmented packets from a host, regardless, it always replies back with
> standard-sized, unfragmented TCP packets during a TCP session.
> 
> Well during testing, I've been able to send fragmented TCP packets to a
> server, and have it reply back with fragmented packets (MF bit is set and
> there are no src or dst ports). An example trace where I saw this is below.
> 
> I was wondering if it's possible to force a server to generate fragmented
> packets like this?
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> 03/27-21:10:03.975761 internal_server -> unknown_internet_host
> TCP TTL:51 TOS:0x0 ID:14447 IpLen:20 DgmLen:52 MF
> Frag Offset: 0x0   Frag Size: 0x20
> .P..\.K>\.K>.."8................
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> Thanks
> 
> _______________________________________________
> Snort-users mailing list
> Snort-userslists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]