SNORT (spp_frag3) Fragmentation overlap (again and again and again)



  • Hi,

    I'm struggling with this

    (spp_frag3) Fragmentation overlap
    

    alert and consequently block action in SNORT. I'm using a VPN provider, so the originating IP is the VPN exit node.

    I tried this solution

    https://forum.pfsense.org/index.php?topic=56267.msg412608#msg412608

    but the target of the error is NOT the Alias (aka the VPN exit node), but my WAN address, so that advice DOESN'T WORK.

    So, I tried another way: I disabled the frag detection both on the LAN and the WAN interfaces, but - now I'm puzzled - SNORT continues to block the connection!

    I couldn't disable the engine itself, because of dependencies (SNORT fires up a pop-up telling me that - by disabling the frag3 engine - I could cause a malfunction).



  • @panz:

    Hi,

    I'm struggling with this

    (spp_frag3) Fragmentation overlap
    

    alert and consequently block action in SNORT. I'm using a VPN provider, so the originating IP is the VPN exit node.

    I tried this solution

    https://forum.pfsense.org/index.php?topic=56267.msg412608#msg412608

    but the target of the error is NOT the Alias (aka the VPN exit node), but my WAN address, so that advice DOESN'T WORK.

    So, I tried another way: I disabled the frag detection both on the LAN and the WAN interfaces, but - now I'm puzzled - SNORT continues to block the connection!

    I couldn't disable the engine itself, because of dependencies (SNORT fires up a pop-up telling me that - by disabling the frag3 engine - I could cause a malfunction).

    Disable that particular preprocessor rule.  You can do this in one of two ways.  The easiest is on the ALERTS tab.  In the GID:SID column, click the red X to disable that rule.  The other method involves going to the RULES tab, select preprocessor rules in the drop-down box, then scroll down and find the rule and force it "off" by clicking the red icon on the left-hand side.

    Bill



  • Thank you Bill for the quick response.

    I choose to try to disable "Use Frag3 Engine to detect fragment anomalies" in the frag3 engine Options because I wanted to continue to receive the alerts, and eventually evaluate them.



  • @panz:

    Thank you Bill for the quick response.

    I choose to try to disable "Use Frag3 Engine to detect fragment anomalies" in the frag3 engine Options because I wanted to continue to receive the alerts, and eventually evaluate them.

    Did that work (disabling the "detect fragment anomalies" option), or did you wind up having to disable the rule itself?  Just curious…

    Bill



  • I disabled "Use Frag3 Engine to detect fragment anomalies"; it's working :)

    Will SNORT continue giving me the alerts? (I'd like to check the alerts for some days)

    panz



  • @panz:

    I disabled "Use Frag3 Engine to detect fragment anomalies"; it's working :)

    Will SNORT continue giving me the alerts? (I'd like to check the alerts for some days)

    panz

    Yes Snort will alert from the text rules, but the option you disabled just tells Snort's fragmented packets processor to ignore weirdness in the packet stream (such as overlapped packets) and just reassemble them instead of alerting on them.

    Bill



  • Sorry, I didn't ask my question with the right words.

    Q: is there a method to setup SNORT in a manner that it will alert me for fragmented packets even if I disabled the frag3 engine detection?



  • @panz:

    Sorry, I didn't ask my question with the right words.

    Q: is there a method to setup SNORT in a manner that it will alert me for fragmented packets even if I disabled the frag3 engine detection?

    No, that frag3 engine is where those alerts come from.

    Bill


Log in to reply