Enterasys Intrusion Prevention System Manual page 210

6.x to 7.x Mappings
Table A-1 6.x to 7.0 Keyword Mapping (continued)
6.x Keyword
FRAG1
FRAMEOFFSET
A-16 Keywords/XML Attributes
7.0 XML Attribute
NSC/SC/C/NetworkLayer/small-frag-with-tcp-flags
NSC/Device/frame-offset
Description
Similar to "NSC/SC/C/NetworkLayer/small-frag-
no-tcp-flags" on page A-15, except that it makes
the Network Sensor look for TCP packets with a
fragment offset of 1. This happens on some
networks, but they are extremely rare. More
likely they are artificial packets generated by a
hacker. It is a technique used to bypass some
firewalls and avoid port scanning detection.
Using an offset of 1 creates packets that have
source and destination ports in one packet, and
the TCP flags in another. This confuses many
network devices including firewalls and some
intrusion detection systems. The Network
Sensor will record the entire packet, and gather
subsequent packets if "NSC/SC/C/Dynamic/
logging" on page A-10 is enabled. However, if
other portions of the fragmented packet arrive
first, it may not be recorded. These events are
labeled FRAG-TCP-ONE.
This setting most commonly picks up on NMAP
fragmented Syn scans where the TCP
destination and source ports arrive in the first
fragment, but the TCP flags arrive in the second
packet. It also occurs when a remote attacker
attempts to bypass a network IDS by artificially
fragmenting their packets into smaller packets.
Used to inform the Network Sensor of the size of
the layer two header. The sensor will use this
value to find the beginning of the IP header.