Snort mailing list archives
Re: Re: IP short header
From: Fyodor <fygrave () tigerteam net>
Date: Sun, 3 Mar 2002 18:24:02 +0700
Peter Kahle <pkahle () pobox com> spoke:
Message: 7 Date: Sat, 2 Mar 2002 15:55:15 -0800 From: John Sage <jsage () finchhaven com> To: Render-Vue <sales () render-vue com> Cc: snort-users () lists sourceforge net Subject: Re: [Snort-users] IP short header Well, the short answer that doesn't tell you much is that the IP header is expected to be 20 bytes long. What you're receiving is only 18 long, and it triggers a rule in -- hmm.. I can't grep for 'short header' in *.rules -- what version of snort did you say you were running, and what platform ;-) ?This looks suspiciously like a DEBUG printf in DecodeIPOnly (I'm looking in 1.8.1 source, I think): printf("ICMP Unreachable IP header length: %lu\n", (unsigned long)hlen); So it may not be in a rule at all.
It isn't the rule. normally ICMP packets should carry at least 64 bits of original datagram (+ icmp header, + ip header), what probably is in your case is that the datagram is truncated, therefore snort complains. if you arent' interested in seeing that, patching the snort code is pretty much the only way. Guess we should have made all those erries turnable on/off by an option though. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- IP short header Render-Vue (Mar 02)
- Re: IP short header John Sage (Mar 02)
- Re: IP short header Chris Green (Mar 02)
- <Possible follow-ups>
- Re: IP short header Render-Vue (Mar 02)
- Re: IP short header Peter Kahle (Mar 02)
- Re: Re: IP short header Fyodor (Mar 03)