https://live.paloaltonetworks.com/t5/general-topics/smb-fragment-packet-found-32332/m-p/8098#M5974 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Anyone have experience of this firing off continuously for 'normal' LAN traffic (deffo not being used as an evasion technique) since the signature was modified (v337)?</P><P></P><P>Cheers</P></BODY></HTML> Fri, 09 Nov 2012 15:42:17 GMT apackard 2012-11-09T15:42:17Z https://live.paloaltonetworks.com/t5/general-topics/smb-fragment-packet-found-32332/m-p/8098#M5974 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Anyone have experience of this firing off continuously for 'normal' LAN traffic (deffo not being used as an evasion technique) since the signature was modified (v337)?</P><P></P><P>Cheers</P></BODY></HTML> Fri, 09 Nov 2012 15:42:17 GMT https://live.paloaltonetworks.com/t5/general-topics/smb-fragment-packet-found-32332/m-p/8098#M5974 apackard 2012-11-09T15:42:17Z https://live.paloaltonetworks.com/t5/general-topics/smb-fragment-packet-found-32332/m-p/8099#M5975 <HTML><HEAD></HEAD><BODY><P>It is set for medium severity (<A href="https://threatvault.paloaltonetworks.com/Home/ThreatDetail/32332" title="https://threatvault.paloaltonetworks.com/Home/ThreatDetail/32332">https://threatvault.paloaltonetworks.com/Home/ThreatDetail/32332</A>) which would mean that it will be blocked if you use a somewhat sane IPS setup of:</P><P></P><P>critical: block</P><P>high: block</P><P>medium: block</P><P>low: default</P><P>informational: default</P><P></P><P>What about if you block the traffic in your case - will the clients start to complain? Any specific clients like Win8 or Samba *nix clients or such (to narrow it down)?</P></BODY></HTML> Sat, 10 Nov 2012 09:37:36 GMT https://live.paloaltonetworks.com/t5/general-topics/smb-fragment-packet-found-32332/m-p/8099#M5975 mikand 2012-11-10T09:37:36Z