Snort mailing list archives
Re: IP short header
From: John Sage <jsage () finchhaven com>
Date: Sat, 2 Mar 2002 15:55:15 -0800
Well, the short answer that doesn't tell you much is that the IP header is expected to be 20 bytes long. What you're receiving is only 18 long, and it triggers a rule in -- hmm.. I can't grep for 'short header' in *.rules -- what version of snort did you say you were running, and what platform ;-) ? Do you have a full packet capture? - John -- Most people don't type their own logfiles; but, what do I care? On Sun, Mar 03, 2002 at 11:52:06AM +1300, Render-Vue wrote:
Hi Yah, Started seeing a lot of these show up in logcheck, have had snort running for several months now and haven't seen these before. Anything to be concerned about? Mar 2 02:33:18 ns snort: ICMP Unreachable IP short header (18 bytes) Mar 2 02:40:09 ns snort: ICMP Unreachable IP short header (18 bytes) Mar 2 02:41:21 ns snort: ICMP Unreachable IP short header (18 bytes) Mar 2 02:44:28 ns snort: ICMP Unreachable IP short header (18 bytes) Mar 2 02:50:00 ns snort: ICMP Unreachable IP short header (18 bytes) Mar 2 03:33:05 ns snort: ICMP Unreachable IP short header (12 bytes) Mar 2 03:35:41 ns snort: ICMP Unreachable IP short header (18 bytes) Mar 2 06:15:42 ns snort: ICMP Unreachable IP short header (18 bytes) Regards from Auckland Chae
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- IP short header Render-Vue (Mar 02)
- Re: IP short header John Sage (Mar 02)
- Re: IP short header Chris Green (Mar 02)
- <Possible follow-ups>
- Re: IP short header Render-Vue (Mar 02)
- Re: IP short header Peter Kahle (Mar 02)
- Re: Re: IP short header Fyodor (Mar 03)