SNORT (spp_frag3) Fragmentation overlap (again and again and again)

panz

Hi,

I'm struggling with this

(spp_frag3) Fragmentation overlap

alert and consequently block action in SNORT. I'm using a VPN provider, so the originating IP is the VPN exit node.

I tried this solution

https://forum.pfsense.org/index.php?topic=56267.msg412608#msg412608

but the target of the error is NOT the Alias (aka the VPN exit node), but my WAN address, so that advice DOESN'T WORK.

So, I tried another way: I disabled the frag detection both on the LAN and the WAN interfaces, but - now I'm puzzled - SNORT continues to block the connection!

I couldn't disable the engine itself, because of dependencies (SNORT fires up a pop-up telling me that - by disabling the frag3 engine - I could cause a malfunction).

bmeeks

@panz:

Hi,

I'm struggling with this

(spp_frag3) Fragmentation overlap

alert and consequently block action in SNORT. I'm using a VPN provider, so the originating IP is the VPN exit node.

I tried this solution

https://forum.pfsense.org/index.php?topic=56267.msg412608#msg412608

but the target of the error is NOT the Alias (aka the VPN exit node), but my WAN address, so that advice DOESN'T WORK.

So, I tried another way: I disabled the frag detection both on the LAN and the WAN interfaces, but - now I'm puzzled - SNORT continues to block the connection!

I couldn't disable the engine itself, because of dependencies (SNORT fires up a pop-up telling me that - by disabling the frag3 engine - I could cause a malfunction).

Disable that particular preprocessor rule.  You can do this in one of two ways.  The easiest is on the ALERTS tab.  In the GID:SID column, click the red X to disable that rule.  The other method involves going to the RULES tab, select preprocessor rules in the drop-down box, then scroll down and find the rule and force it "off" by clicking the red icon on the left-hand side.

Bill

panz

Thank you Bill for the quick response.

I choose to try to disable "Use Frag3 Engine to detect fragment anomalies" in the frag3 engine Options because I wanted to continue to receive the alerts, and eventually evaluate them.

bmeeks

@panz:

Thank you Bill for the quick response.

I choose to try to disable "Use Frag3 Engine to detect fragment anomalies" in the frag3 engine Options because I wanted to continue to receive the alerts, and eventually evaluate them.

Did that work (disabling the "detect fragment anomalies" option), or did you wind up having to disable the rule itself?  Just curious…

Bill

panz

I disabled "Use Frag3 Engine to detect fragment anomalies"; it's working :)

Will SNORT continue giving me the alerts? (I'd like to check the alerts for some days)

panz

bmeeks

@panz:

I disabled "Use Frag3 Engine to detect fragment anomalies"; it's working :)

Will SNORT continue giving me the alerts? (I'd like to check the alerts for some days)

panz

Yes Snort will alert from the text rules, but the option you disabled just tells Snort's fragmented packets processor to ignore weirdness in the packet stream (such as overlapped packets) and just reassemble them instead of alerting on them.

Bill

panz

Sorry, I didn't ask my question with the right words.

Q: is there a method to setup SNORT in a manner that it will alert me for fragmented packets even if I disabled the frag3 engine detection?

bmeeks

@panz:

Sorry, I didn't ask my question with the right words.

Q: is there a method to setup SNORT in a manner that it will alert me for fragmented packets even if I disabled the frag3 engine detection?

No, that frag3 engine is where those alerts come from.

Bill