Snort mailing list archives
Re: how to stop these UDP TCP alerts?
From: Erek Adams <erek () snort org>
Date: Tue, 23 Sep 2003 06:42:13 -0400 (EDT)
On Mon, 22 Sep 2003, Clayton Mascarenhas wrote:
I know this question has been asked before, but I cannot find the answer to this. I have really searched google and the mailing list but still cant find the answer to this question. Could I please know how to stop snort 2.0.2 from generating the following alerts... [**] (snort_decoder): Short UDP packet, length field > payload length [**] 01/29-01:00:18.399475 132.x.x.x:0 -> 132.x.x.x:0 UDP TTL:128 TOS:0x0 ID:15667 IpLen:20 DgmLen:161Len: 133 [**] (snort_decoder) WARNING: TCP Header length exceeds packet length! [**]01/29-01:00:09.082724 132.x.x.x:0 -> 132.x.x.x:0 TCP TTL:60 TOS:0x0 ID:57434 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x21676561 Ack: 0xCECE0987 Win: 0xC036 TcpLen: 32 I am getting a million of these alerts. I dont think there is any snort rule to this. Am I correct?
They are from the 'snort_decoder', not from a rule. To stop them you'll have to either use a BPF filter to ignore the hosts, or turn off the TCP checks in the snort.conf (there's a whole section on it). Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- how to stop these UDP TCP alerts? Clayton Mascarenhas (Sep 22)
- Re: how to stop these UDP TCP alerts? Erek Adams (Sep 23)
- Re: how to stop these UDP TCP alerts? jlarsson (Sep 24)
- Re: how to stop these UDP TCP alerts? Erek Adams (Sep 24)
- Re: how to stop these UDP TCP alerts? jlarsson (Sep 24)
- Re: how to stop these UDP TCP alerts? Phil Wood (Sep 25)
- Re: how to stop these UDP TCP alerts? jlarsson (Sep 24)
- Re: how to stop these UDP TCP alerts? Erek Adams (Sep 23)