[Dshield] Snort question: IPflags ?

John Sage jsage at finchhaven.com
Mon Sep 22 16:38:57 GMT 2003


On Mon, Sep 22, 2003 at 05:33:14PM +0200, Stephane Grobety wrote:
> Hello,
> Does anyone know how I can setup SNORT to log the IP flags of some/all
> of it's ICMP packet dumps ?
> I'm having a few "Large ICMP Packet" events that I suspect are nothing
> but path MTU discovery but, in order to verify that, I need to have a
> look at the IP "Don't fragment" flag which isn't included in my
> logs...
> I'm logging with the -X command-line flag set but it doesn't decode
> the packet dumps, just log it. I could, of course, decode it manually,
> but as you can see, I'm a bit too lazy to do that ;)

Too lazy, ah, yes...

>From The Fine Manual:

2.3.7 Fragbits
This rule inspects the fragment and reserved bits in the IP
header. There are three bits that can be checked, the Reserved Bit
(RB), More Fragments (MF) bit, and the Don't Fragment (DF) bit. These
bits can be checked in a variety of combinations. Use the following
values to indicate specific bits: * R - Reserved Bit * D - DF bit * M
- MF bit 

You can also use modifiers to indicate logical match criteria for the
specified bits: * + - ALL flag, match on specified bits plus any
others * * - ANY flag, match if any of the specified bits are set * !
- NOT flag, match if the specified bits are not set

Format  fragbits: <bitvalues>;

alert tcp !$HOME_NET any -> $HOME_NET any (fragbits: R+; \
 msg: "Reserved bit set!";)
Figure 2.10: Example of fragbits detection usage

- John
"Warning: time of day goes back, taking countermeasures."
John Sage
InfoSec Groupie
ABCD, EFGH, IJKL, EmEnOh, Pplus+, Mminus-
ATTENTION: this message is privileged communication. If you read it
even though you aren't supposed to, you're a poopy-head.

More information about the list mailing list