Snort FAQ: http://www.snort.org/docs/writing_rules/chap2.html#tth_sEc2.3.7

GIAC GCIA - Fragmented Code Red:
http://cert.uni-stuttgart.de/archive/intrusions/2002/08/msg00246.html

HTH,
John Hicks

-----Original Message-----
From: Hanasaki JiJi [mailto:hanasakihanaden.com]
Sent: Friday, November 29, 2002 12:41 PM
To: snort-userslists.sourceforge.net
Subject: [Snort-users] Please help me understand this alert output

Below is one of MANY alerts being loged on my internal network. It is a
very small network. how can i find what is causing the bad traffice,
and rectify it?

[**] [1:1322:4] BAD TRAFFIC bad frag bits [**]
[Classification: Misc activity] [Priority: 3]
11/29-11:38:11.405389 192.168.1.200 -> 192.168.1.1
UDP TTL:64 TOS:0x0 ID:12106 IpLen:20 DgmLen:1500 DF MF
Frag Offset: 0x0000 Frag Size: 0x05C8

-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T
handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T
handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
Snort-users mailing list
Snort-userslists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]