Re: Bad Protocol?

[J Irving <j () erf sh>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Mike

Could you post a tcpdump -x of the packet in question?  Many
anomalous IP tweaks can evade interpretation by tools that...uh
...interpret.  tcpdump -x should give you the actual content of
the packet (well, the headers and a bit of payload (probably)),
which you could then compare to RFCs, Richard Stevens, or
whichever authority you prefer.

cheers
j

* Mike Koponick <mike () redhawk info> [2003.01.05 09:30 -0800]:
> From: "Mike Koponick" <mike () redhawk info>
> To: <snort-users () lists sourceforge net>
> X-Priority: 3 (Normal)
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700
> Subject: [Snort-users] Bad Protocol?
> X-BeenThere: snort-users () lists sourceforge net
> X-Mailman-Version: 2.0.9-sf.net
> X-Original-Date: Sun, 5 Jan 2003 09:30:20 -0800
> Date: Sun, 5 Jan 2003 09:30:20 -0800
>
> Now that I have decent loggin working, I'm getting some messages that appear
> to be normal packets, but SNORT seems to think that something is wrong with
> them. I think it might be a rule problem.. has anyone else seen this?
>
> 01/05-17:33:24.184929  [**] [118:1:1] (spp_conversation) Bad IP protocol!
> [**] {UDP} 192.168.xx.xx:514 -> 192.168.xx.xx:514
>
> Obviously, this is a SYSLOG message, which we do have a node on the network
> logging to the snort box for syslog parsing.
>
> This is what the packet looks like:
>
> [**] (spp_conversation) Bad IP protocol! [**]
> 01/04-15:56:38.598158 192.168.xx.xx:514 -> 192.168.xx.xx:514
> UDP TTL:255 TOS:0x0 ID:46088 IpLen:20 DgmLen:171
>
> Thanks in advance for your help.
>
> Mike
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

- -- 
https://erf.sh/chao.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (SunOS)
Comment: Hail Eris!

iD8DBQE+GKs8UMt2z+iZNdMRAr+nAJ9ENmm3LTe8/EkTVdhMb1Jr1JQTOgCgzL2o
GbNCbqKku7sl1hz8txAdcS4=
=ulHP
-----END PGP SIGNATURE-----


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users