Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SNORT (spp_frag3) Fragmentation overlap (again and again and again)

    Scheduled Pinned Locked Moved pfSense Packages
    8 Posts 2 Posters 7.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • panzP
      panz
      last edited by

      Hi,

      I'm struggling with this

      (spp_frag3) Fragmentation overlap
      

      alert and consequently block action in SNORT. I'm using a VPN provider, so the originating IP is the VPN exit node.

      I tried this solution

      https://forum.pfsense.org/index.php?topic=56267.msg412608#msg412608

      but the target of the error is NOT the Alias (aka the VPN exit node), but my WAN address, so that advice DOESN'T WORK.

      So, I tried another way: I disabled the frag detection both on the LAN and the WAN interfaces, but - now I'm puzzled - SNORT continues to block the connection!

      I couldn't disable the engine itself, because of dependencies (SNORT fires up a pop-up telling me that - by disabling the frag3 engine - I could cause a malfunction).

      pfSense 2.3.2-RELEASE-p1 (amd64)
      motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        @panz:

        Hi,

        I'm struggling with this

        (spp_frag3) Fragmentation overlap
        

        alert and consequently block action in SNORT. I'm using a VPN provider, so the originating IP is the VPN exit node.

        I tried this solution

        https://forum.pfsense.org/index.php?topic=56267.msg412608#msg412608

        but the target of the error is NOT the Alias (aka the VPN exit node), but my WAN address, so that advice DOESN'T WORK.

        So, I tried another way: I disabled the frag detection both on the LAN and the WAN interfaces, but - now I'm puzzled - SNORT continues to block the connection!

        I couldn't disable the engine itself, because of dependencies (SNORT fires up a pop-up telling me that - by disabling the frag3 engine - I could cause a malfunction).

        Disable that particular preprocessor rule.  You can do this in one of two ways.  The easiest is on the ALERTS tab.  In the GID:SID column, click the red X to disable that rule.  The other method involves going to the RULES tab, select preprocessor rules in the drop-down box, then scroll down and find the rule and force it "off" by clicking the red icon on the left-hand side.

        Bill

        1 Reply Last reply Reply Quote 0
        • panzP
          panz
          last edited by

          Thank you Bill for the quick response.

          I choose to try to disable "Use Frag3 Engine to detect fragment anomalies" in the frag3 engine Options because I wanted to continue to receive the alerts, and eventually evaluate them.

          pfSense 2.3.2-RELEASE-p1 (amd64)
          motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            @panz:

            Thank you Bill for the quick response.

            I choose to try to disable "Use Frag3 Engine to detect fragment anomalies" in the frag3 engine Options because I wanted to continue to receive the alerts, and eventually evaluate them.

            Did that work (disabling the "detect fragment anomalies" option), or did you wind up having to disable the rule itself?  Just curious…

            Bill

            1 Reply Last reply Reply Quote 0
            • panzP
              panz
              last edited by

              I disabled "Use Frag3 Engine to detect fragment anomalies"; it's working :)

              Will SNORT continue giving me the alerts? (I'd like to check the alerts for some days)

              panz

              pfSense 2.3.2-RELEASE-p1 (amd64)
              motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                @panz:

                I disabled "Use Frag3 Engine to detect fragment anomalies"; it's working :)

                Will SNORT continue giving me the alerts? (I'd like to check the alerts for some days)

                panz

                Yes Snort will alert from the text rules, but the option you disabled just tells Snort's fragmented packets processor to ignore weirdness in the packet stream (such as overlapped packets) and just reassemble them instead of alerting on them.

                Bill

                1 Reply Last reply Reply Quote 0
                • panzP
                  panz
                  last edited by

                  Sorry, I didn't ask my question with the right words.

                  Q: is there a method to setup SNORT in a manner that it will alert me for fragmented packets even if I disabled the frag3 engine detection?

                  pfSense 2.3.2-RELEASE-p1 (amd64)
                  motherboard: MSI C847MS-E33 Micro ATX (with Intel Celeron CPU 847 @ 1.10 GHz) ~ PSU: Corsair VS350 ~ RAM: Kingston KVR1333D3E9S 4096 MB 240-pin DIMM DDR3 SDRAM 1.5 volt ~ NIC: Intel EXPI9301CTBLK (LAN) ~ NIC: D-Link DFE-528TX (CAM) ~ Hard Disk: Western Digital WD10JFCX Red ~ Case: Cooler Master HAF XB ~ power consumption: 21 Watts.

                  1 Reply Last reply Reply Quote 0
                  • bmeeksB
                    bmeeks
                    last edited by

                    @panz:

                    Sorry, I didn't ask my question with the right words.

                    Q: is there a method to setup SNORT in a manner that it will alert me for fragmented packets even if I disabled the frag3 engine detection?

                    No, that frag3 engine is where those alerts come from.

                    Bill

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post
                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.