Well, according to the MS link, a specific large ICMP packet is used. I'm guessing that is what is being fragmented. It appears one option is to modify the MS clients to use a smaller ICMP packet for this process. But I think you'll find other "normal" software using large ICMP too.
Is there something that leads you to believe that fragmented ICMP is a good indication of worm propagation? Personally, I don't think it is. What _might_ be a good indicator is the ICMP messages themselves (not whether they are fragmented). If suddenly one or more hosts is scanning subnets with ICMP, then there should be other incidents firing than "fragmented ICMP". I'm not even talking about IDS alarms, just the normal log information about "connections" received from the ASA should generate an incident in CSMARS.
You should be able to test this pretty easily with nmap.
Well, I agree with you, in CS-MARS I can see incidents matching the "System Rule: Worm Propagation - Attempt" rules, with ICMP fragmented with also related TCP connections (i.e. tcp 139) but the rule "System Rule: Server Attack: Misc. - Attempt" (event type "Fragmented ICMP traffic") fires only with fragmented ICMP traffic: this is the problem, only ICMP !
Regarding the "System Rule: Server Attack: Misc. - Attempt" rule, it should fire on a single event received that is a member of any of these event categories:
signature 2150-0 maps to event type "Fragmented ICMP Traffic", which is a member of the DoS/Host and DoS/All event type categories. So, a single 2150-0 would normally trigger this rule.
If you goal is to have sig 2150-0 fire (and thus the CSMARS rule) for all other fragmented ICMP traffic but those that result from Windows slow link detection, one option is to create an event action filter on the sensor that won't create an alert for 2150-0 if the destination is a domain controller.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...