-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Of course. Frag3 is target based (tuned to the OS) of your machine.
Therefore you need to create an entry in your snort.conf specifically
tuned to the OS of your DNS server (and any other host on your network)
If you need further help, feel free to email the list or me personally,
however, please review the examples in the snort.conf under the frag3
heading.
Joel Esler
Drew Burchett wrote:
From examining the packet capture, I?ve determined that the ?offending?
traffic is an NXDomain response from a valid root server. It?s being
caused by doing reverse lookups on spam email.
However, the question remains, is there any way I can fine tune the
frag3 preprocessor to avoid these false positives?
Drew Burchett
United Systems & Software
http://www.united-systems.com
Phone: (270)527-3293
Fax: (270)527-3132
* From: * snort-users-admin@lists.sourceforge.net
[mailto:snort-users-admin@lists.sourceforge.net] *On Behalf Of *Drew
Burchett
*Sent:* Monday, May 22, 2006 11:18 AM
*To:* snort-users@lists.sourceforge.net
*Subject:* [Snort-users] frag3 alerts
I am seeing a lot of frag3 Fragmentation overlap alerts with my DNS
server as the destination and a source address that reverses to a root
server. When examining the packets, the traffic seems to be valid DNS
traffic, although it has nothing to do with any domains that I host. Is
this some sort of attack, or is it valid traffic that is throwing false
positives? If it is a false positive, is there any way I can fine-tune
the frag3 preprocessor to avoid these?
Drew Burchett
United Systems & Software
http://www.united-systems.com
Phone: (270)527-3293
Fax: (270)527-3132
--
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.
--
This message has been scanned for viruses and
dangerous content by *MailScanner* <http://www.mailscanner.info/>*, and is
believed to be clean.
-- *
*CONFIDENTIALITY NOTICE: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is prohibited. If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message. *
*
--
This message has been scanned for viruses and
dangerous content by *MailScanner* <http://www.mailscanner.info/>, and is
believed to be clean. *
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFEcgNbKbCSyXHckt4RAtp4AKCB1iImdRYQ0U8WX0/eIaPWocRf8gCbBmky
MeeGd4uQmcmw8Mn+ypfbHjg=
=cFjW
-----END PGP SIGNATURE-----
-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
