Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Snort-Users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Snort-users] frag3 alerts

from [Drew Burchett] Network Security [Permanent Link]
Subject: RE: [Snort-users] frag3 alerts
Date: Mon, 22 May 2006 13:27:07 -0500 
From examining the packet capture, I've determined that the "offending"

traffic is an NXDomain response from a valid root server.  It's being
caused by doing reverse lookups on spam email.

 

However, the question remains, is there any way I can fine tune the
frag3 preprocessor to avoid these false positives?

 

Drew Burchett

United Systems & Software

http://www.united-systems.com

Phone:  (270)527-3293

Fax:     (270)527-3132

 

  _____  

From: snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] On Behalf Of Drew
Burchett
Sent: Monday, May 22, 2006 11:18 AM
To: snort-users@lists.sourceforge.net
Subject: [Snort-users] frag3 alerts

 

I am seeing a lot of frag3 Fragmentation overlap alerts with my DNS
server as the destination and a source address that reverses to a root
server.  When examining the packets, the traffic seems to be valid DNS
traffic, although it has nothing to do with any domains that I host.  Is
this some sort of attack, or is it valid traffic that is throwing false
positives?  If it is a false positive, is there any way I can fine-tune
the frag3 preprocessor to avoid these?

 

Drew Burchett

United Systems & Software

http://www.united-systems.com

Phone:  (270)527-3293

Fax:     (270)527-3132

 


-- 

CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message. 


-- 
This message has been scanned for viruses and 
dangerous content by MailScanner <http://www.mailscanner.info/> , and is

believed to be clean. 

--
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is for 
the sole use of the intended recipient(s) and may contain confidential and 
privileged information. Any unauthorized review, use, disclosure or 
distribution is prohibited. If you are not the intended recipient, please 
contact the sender by reply e-mail and destroy all copies of the original 
message.

-- 
This message has been scanned for viruses and dangerous content by MailScanner 
and is believed to be clean.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Snort-users] frag3 alerts, Drew Burchett
Next by Date:  Re: [Snort-users] frag3 alerts, Joel Esler
Previous by Thread:  [Snort-users] frag3 alerts, Drew Burchett
Next by Thread:  Re: [Snort-users] frag3 alerts, Joel Esler
Indexes:  [Date] [Thread] [Top] [All Lists]