Snort mailing list archives
Re: Bad Protocol?
From: J Irving <j () erf sh>
Date: Sun, 5 Jan 2003 14:01:32 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Mike Could you post a tcpdump -x of the packet in question? Many anomalous IP tweaks can evade interpretation by tools that...uh ...interpret. tcpdump -x should give you the actual content of the packet (well, the headers and a bit of payload (probably)), which you could then compare to RFCs, Richard Stevens, or whichever authority you prefer. cheers j * Mike Koponick <mike () redhawk info> [2003.01.05 09:30 -0800]:
From: "Mike Koponick" <mike () redhawk info> To: <snort-users () lists sourceforge net> X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Subject: [Snort-users] Bad Protocol? X-BeenThere: snort-users () lists sourceforge net X-Mailman-Version: 2.0.9-sf.net X-Original-Date: Sun, 5 Jan 2003 09:30:20 -0800 Date: Sun, 5 Jan 2003 09:30:20 -0800 Now that I have decent loggin working, I'm getting some messages that appear to be normal packets, but SNORT seems to think that something is wrong with them. I think it might be a rule problem.. has anyone else seen this? 01/05-17:33:24.184929 [**] [118:1:1] (spp_conversation) Bad IP protocol! [**] {UDP} 192.168.xx.xx:514 -> 192.168.xx.xx:514 Obviously, this is a SYSLOG message, which we do have a node on the network logging to the snort box for syslog parsing. This is what the packet looks like: [**] (spp_conversation) Bad IP protocol! [**] 01/04-15:56:38.598158 192.168.xx.xx:514 -> 192.168.xx.xx:514 UDP TTL:255 TOS:0x0 ID:46088 IpLen:20 DgmLen:171 Thanks in advance for your help. Mike ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
- -- https://erf.sh/chao.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (SunOS) Comment: Hail Eris! iD8DBQE+GKs8UMt2z+iZNdMRAr+nAJ9ENmm3LTe8/EkTVdhMb1Jr1JQTOgCgzL2o GbNCbqKku7sl1hz8txAdcS4= =ulHP -----END PGP SIGNATURE----- ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- flexresp and libnet Hauser Marcel (Jan 03)
- Re: flexresp and libnet James-lists (Jan 04)
- Snort not logging.... Mike Koponick (Jan 04)
- Re: Snort not logging.... Andrew R. Baker (Jan 04)
- RE: Snort not logging.... Mike Koponick (Jan 05)
- Bad Protocol? Mike Koponick (Jan 05)
- Re: Bad Protocol? J Irving (Jan 05)
- Snort not logging.... Mike Koponick (Jan 04)
- Re: flexresp and libnet James-lists (Jan 04)