Re: [Snort-users] frag3 alerts

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

How do you have the rest of the frag3 entries set?  Or is that the only
entry you have?

Joel

Drew Burchett wrote:
> Well, I'm pretty sure I've got that set right.  The host is running Suse
> Linux 10.0 and I've got the configuration set to:
>
> preprocessor frag3_engine: policy linux bind_to 65.241.66.12
>
> That seemed to be how I should have it set according to the chart in
> README.frag3.
>
> Drew Burchett
> United Systems & Software
> http://www.united-systems.com
> Phone:  (270)527-3293
> Fax:     (270)527-3132
>
>
> > -----Original Message-----
> > From: Joel Esler [mailto:joel.esler@sourcefire.com]
> > Sent: Monday, May 22, 2006 1:31 PM
> > To: Drew Burchett
> > Cc: snort-users@lists.sourceforge.net; rmkml
> > Subject: Re: [Snort-users] frag3 alerts
> Of course.  Frag3 is target based (tuned to the OS) of your machine.
> Therefore you need to create an entry in your snort.conf specifically
> tuned to the OS of your DNS server (and any other host on your
> > network)
> If you need further help, feel free to email the list or me
> > personally,
> however, please review the examples in the snort.conf under the frag3
> heading.
>
> Joel Esler
>
> Drew Burchett wrote:
> > > > From examining the packet capture, I?ve determined that the
> > ?offending?
> > > > traffic is an NXDomain response from a valid root server.  It?s
> > being
> > > > caused by doing reverse lookups on spam email.
> > > >
> > > >
> > > >
> > > > However, the question remains, is there any way I can fine tune the
> > > > frag3 preprocessor to avoid these false positives?
> > > >
> > > >
> > > >
> > > > Drew Burchett
> > > >
> > > > United Systems & Software
> > > >
> > > > http://www.united-systems.com
> > > >
> > > > Phone:  (270)527-3293
> > > >
> > > > Fax:     (270)527-3132
> > > >
> > > >
> > > >
> > > > * From: * snort-users-admin@lists.sourceforge.net
> > > > [mailto:snort-users-admin@lists.sourceforge.net] *On Behalf Of *Drew
> > > > Burchett
> > > > *Sent:* Monday, May 22, 2006 11:18 AM
> > > > *To:* snort-users@lists.sourceforge.net
> > > > *Subject:* [Snort-users] frag3 alerts
> > > >
> > > >
> > > >
> > > > I am seeing a lot of frag3 Fragmentation overlap alerts with my DNS
> > > > server as the destination and a source address that reverses to a
> > root
> > > > server.  When examining the packets, the traffic seems to be valid
> > DNS
> > > > traffic, although it has nothing to do with any domains that I host.
> > Is
> > > > this some sort of attack, or is it valid traffic that is throwing
> > false
> > > > positives?  If it is a false positive, is there any way I can
> > fine-tune
> > > > the frag3 preprocessor to avoid these?
> > > >
> > > >
> > > >
> > > > Drew Burchett
> > > >
> > > > United Systems & Software
> > > >
> > > > http://www.united-systems.com
> > > >
> > > > Phone:  (270)527-3293
> > > >
> > > > Fax:     (270)527-3132
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > >
> > > > CONFIDENTIALITY NOTICE: This e-mail message, including any
> > attachments,
> > > > is for the sole use of the intended recipient(s) and may contain
> > > > confidential and privileged information. Any unauthorized review,
> > use,
> > > > disclosure or distribution is prohibited. If you are not the
> > intended
> > > > recipient, please contact the sender by reply e-mail and destroy all
> > > > copies of the original message.
> > > >
> > > >
> > > > --
> > > > This message has been scanned for viruses and
> > > > dangerous content by *MailScanner* <http://www.mailscanner.info/>*,
> > and
> is
> > > > believed to be clean.
> > > > -- *
> > > >
> > > > *CONFIDENTIALITY NOTICE: This e-mail message, including any
> > attachments,
> > > > is for the sole use of the intended recipient(s) and may contain
> > > > confidential and privileged information. Any unauthorized review,
> > use,
> > > > disclosure or distribution is prohibited. If you are not the
> > intended
> > > > recipient, please contact the sender by reply e-mail and destroy all
> > > > copies of the original message. *
> > > >
> > > > *
> > > > --
> > > > This message has been scanned for viruses and
> > > > dangerous content by *MailScanner* <http://www.mailscanner.info/>,
> > and
> is
> > > > believed to be clean. *

> --
> CONFIDENTIALITY NOTICE: This e-mail message, including any attachments, is 
> for the sole use of the intended recipient(s) and may contain confidential 
> and privileged information. Any unauthorized review, use, disclosure or 
> distribution is prohibited. If you are not the intended recipient, please 
> contact the sender by reply e-mail and destroy all copies of the original 
> message.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEcgUDKbCSyXHckt4RAoTtAJ90GOaIdc/J5c7BrdQKI/zXb7mgygCfXGSI
b7QvWUZeaKLTfbe6I0usa0k=
=/rr2
-----END PGP SIGNATURE-----


-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users