These messages are comming from a network SAN (Netgear SC101) when it is accessed, Is there anyway to stop these messages from these IP’s only …
I have tried messing around with the rules but they still appear
Date/Time :2007-06-15 13:10:38
Severity :High
Reporter :Network Monitor
Description: Blocked by Protocol Analysis (Fragmented IP Packet)
Direction: IP Incoming
Source: 192.168.1.106
Destination: 192.168.1.156
Protocol : UDP
Reason: Fragmented IP packets are not allowed
Date/Time :2007-06-15 13:10:38
Severity :High
Reporter :Network Monitor
Description: Blocked by Protocol Analysis (Fake or Malformed UDP Packet)
Direction: UDP Incoming
Source: 192.168.1.106:20001
Destination: 192.168.1.156:1050
Reason: UDP packet length and the size on the wire(2082 bytes) do not match
You can disable the “Block fragmented IP datagrams”:
Security → Advanced → Advanced Attack Detection and prevention → Miscellaneous → uncheck “Block fragmented IP datagrams”
It seems that the Netgear is at fault here: the UDP packet length should be less than the MTU.
The best solution though, is to fix the Netgear box; a firmware upgrade?
Fragmented datagrams pose a security risk and should not be allowed, (“This option should not be disabled unless necessary”).
I am not sure if it is possible to setup a network rule to accept fragmented packets from a single source …
Unfortunately you can’t use the “fragmented packets” option in a rule. It’s a global setting that is either on or off and is applied to a system, not to an individual application or to an individual device.
