Snort detects IPv6 Frag attack



  • About once a week, snort detects this:

    2

    1

    IPV6-FRAG

    (spp_frag3) Bogus fragmentation packet. Possible BSD attack

    Attempted Administrator Privilege Gain

    empty

    empty

    ->

    empty

    empty

    123:10:1

    07/03-16:15:42

    Snort is only active on my LAN interface.  Should I worry about this?  How/why is all the address info 'empty'?



  • @caustic386:

    Snort is only active on my LAN interface.  Should I worry about this?  How/why is all the address info 'empty'?

    not sure on the alert, would have to look it up but a quick answer to your last question. Snort is complied to work with IPv6 but the pfSense GUI isn't setup to handle IPv6 addresses yet



  • So it could simply be that someone on my LAN is trying to use IPv6 services?



  • Do you have a PCAP you can share of the traffic? If the source is "good" then it is likely a false positive though.

    @caustic386:

    So it could simply be that someone on my LAN is trying to use IPv6 services?



  • Unfortunately I do not, this was a few days ago and I didn't catch it in time.


Locked