Snort detects IPv6 Frag attack
-
About once a week, snort detects this:
2
1
IPV6-FRAG
(spp_frag3) Bogus fragmentation packet. Possible BSD attack
Attempted Administrator Privilege Gain
empty
empty
->
empty
empty
123:10:1
07/03-16:15:42
Snort is only active on my LAN interface. Should I worry about this? How/why is all the address info 'empty'?
-
Snort is only active on my LAN interface. Should I worry about this? How/why is all the address info 'empty'?
not sure on the alert, would have to look it up but a quick answer to your last question. Snort is complied to work with IPv6 but the pfSense GUI isn't setup to handle IPv6 addresses yet
-
So it could simply be that someone on my LAN is trying to use IPv6 services?
-
Do you have a PCAP you can share of the traffic? If the source is "good" then it is likely a false positive though.
So it could simply be that someone on my LAN is trying to use IPv6 services?
-
Unfortunately I do not, this was a few days ago and I didn't catch it in time.