Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: 1.9.0 and "Unknown Datagram decoding problem"

From: Chris Green <cmg () sourcefire com>
Date: Tue, 08 Oct 2002 19:23:08 -0400
Erek Adams <erek () theadamsfamily net> writes:


On Wed, 9 Oct 2002, Jason Haar wrote:


On our network, this alert is triggering every time our SNMP network
management server talks to any host over our VPN. It appears to be matching
on UDP SNMP frags (exp: with VPNs, you tend to see a LOT more fragged
traffic than "normal" networks).




Please give me a pcap of the traffic that it is generating alerts on.
I made the default "we don't know how to decode this or we screwed up
decoding", do a bit more verbosity rather than the ErrorMessages() it
used to do.

In the meantime,

config disable_decode_alerts

in your snort.conf will help.


Hrm...  It seems that it's not from SNMP but from an ICMP_DEST_UNREACHABLE or
ICMP_REDIRECT.

If you have it, I'd suggest grabbing a pcap of some of those packets and then
building a debug version of snort.  Enable debugging in the decoder and then
run the pcap thru it to track down what it's really doing.


Any timeframe for either fixing this or being able to disable it?


With the right info, you should be able to write a BPF filter to drop the
packets that are causing it for now.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
Chris Green <cmg () sourcefire com>
Don't use a big word where a diminutive one will suffice.


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: