Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort detects IPv6 Frag attack

    Scheduled Pinned Locked Moved pfSense Packages
    5 Posts 3 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      caustic386
      last edited by

      About once a week, snort detects this:

      2

      1

      IPV6-FRAG

      (spp_frag3) Bogus fragmentation packet. Possible BSD attack

      Attempted Administrator Privilege Gain

      empty

      empty

      ->

      empty

      empty

      123:10:1

      07/03-16:15:42

      Snort is only active on my LAN interface.  Should I worry about this?  How/why is all the address info 'empty'?

      1 Reply Last reply Reply Quote 0
      • C
        Cino
        last edited by

        @caustic386:

        Snort is only active on my LAN interface.  Should I worry about this?  How/why is all the address info 'empty'?

        not sure on the alert, would have to look it up but a quick answer to your last question. Snort is complied to work with IPv6 but the pfSense GUI isn't setup to handle IPv6 addresses yet

        1 Reply Last reply Reply Quote 0
        • C
          caustic386
          last edited by

          So it could simply be that someone on my LAN is trying to use IPv6 services?

          1 Reply Last reply Reply Quote 0
          • K
            kevross33
            last edited by

            Do you have a PCAP you can share of the traffic? If the source is "good" then it is likely a false positive though.

            @caustic386:

            So it could simply be that someone on my LAN is trying to use IPv6 services?

            1 Reply Last reply Reply Quote 0
            • C
              caustic386
              last edited by

              Unfortunately I do not, this was a few days ago and I didn't catch it in time.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.