File: 1322.txt

package info (click to toggle)
snort 2.7.0-20.4
  • links: PTS
  • area: main
  • in suites: lenny
  • size: 34,512 kB
  • ctags: 18,772
  • sloc: ansic: 115,404; sh: 10,893; makefile: 1,372; perl: 487; sql: 213
file content (65 lines) | stat: -rw-r--r-- 1,274 bytes parent folder | download | duplicates (6)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
Rule:

--
Sid: 1322

--
Summary:
This event is generated when packets on the network have both the 
fragment and don't fragment bits set.

--
Impact:
Possible reconnaisance.

--
Detailed Information:
This rule detects a case where the packet is designated as having more 
fragments whilst at the same time the "don't fragment" bit is also set.

Under normal circumstances an ICMP error message (type 3 code 5) should 
be generated and sent back to the source of the packet.

The attacker may be trying to ascertain information about the network 
architecture and configuration of network devices as a prelude to an 
attack.

an indicator of unauthorized network use, reconnaisance activity or 
system compromise. These rules may also generate an event due to 
improperly configured network devices.

--
Affected Systems:
	All

--
Attack Scenarios:
The attacker would need to craft packets with the fragment and don't 
fragment bits set.

--
Ease of Attack:
Simple

--
False Positives:
None Known

--
False Negatives:
None Known

--
Corrective Action:
Employ a packet filtering firewall to deny outbound ICMP error messages.

--
Contributors:
Original rule writer unknown
Sourcefire Research Team
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

--