For some time now snort has been logging 'Tiny Fragments' coming from several different addresses. Here is a sample: Packet 1 TIME: 10:04:55.405457 LINK: 00:00:0C:46:5C:D1 -> 00:E0:1E:8E:31:71 type=IP IP: 62.32.156.41 -> 130.216.112.2 hlen=20 TOS=48 dgramlen=20 id=5D09 MF/DF=1/1 frag=0 TTL=98 proto=TCP cksum=CE6E TCP: port 0 -> 0 seq=0000000000 ack=0000000000 hlen=0 (data=0) UAPRSF=000000 wnd=28 cksum=50A9 urg=59666 DATA: <No data> --------------------------------------------------------------------------- Packet 2 TIME: 10:04:55.481006 (0.075549) LINK: 00:00:0C:46:5C:D1 -> 00:E0:1E:8E:31:71 type=IP IP: 62.32.156.41 -> 130.216.112.2 hlen=20 TOS=48 dgramlen=20 id=5D12 MF/DF=1/1 frag=0 TTL=98 proto=TCP cksum=CE65 TCP: port 0 -> 0 seq=0000000000 ack=0000000000 hlen=0 (data=0) UAPRSF=000000 wnd=28 cksum=0F59 urg=30577 DATA: <No data> Note More Fragments and Don't fragment are both set to 1?? The packets arrive in pairs, both to the same destination address. Some sources send packets to just one destination others send them to many. When I look in the argus logs I see a single RST packet and argus does not report that it was fragmented. Any idea what is going on? Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Jul 17 2001 - 10:43:50 PDT