Snort mailing list archives
Re: how to stop these UDP TCP alerts?
From: jlarsson () altavoz net
Date: Wed, 24 Sep 2003 13:20:26 -0400 (CLT)
I have scanned through mailinglists looking for which "false alerts" these TCP checks will stop. I get the following messages in my alert file (snort_decoder): Short UDP packet, length field > payload length (snort_decoder) WARNING: TCP Header length exceeds packet length! (snort_decoder): Truncated Tcp Options where can i find an explanation of what these means "Stop generic decode event", "Stop alerts on experimental TCP options", etc. /Johan PS, Sorry to have sent this two times to you Erek :( Quoting Erek Adams <erek () snort org>:
On Mon, 22 Sep 2003, Clayton Mascarenhas wrote:I know this question has been asked before, but I cannot find theanswerto this. I have really searched google and the mailing list but still cant find the answer to this question. Could I please know how to stop snort 2.0.2 from generating the following alerts... [**] (snort_decoder): Short UDP packet, length field > payload length [**] 01/29-01:00:18.399475 132.x.x.x:0 -> 132.x.x.x:0 UDP TTL:128 TOS:0x0 ID:15667 IpLen:20 DgmLen:161Len: 133 [**] (snort_decoder) WARNING: TCP Header length exceeds packetlength![**]01/29-01:00:09.082724 132.x.x.x:0 -> 132.x.x.x:0 TCP TTL:60TOS:0x0ID:57434 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x21676561 Ack:0xCECE0987Win: 0xC036 TcpLen: 32 I am getting a million of these alerts. I dont think there is anysnortrule to this. Am I correct?They are from the 'snort_decoder', not from a rule. To stop them you'll have to either use a BPF filter to ignore the hosts, or turn off the TCP checks in the snort.conf (there's a whole section on it). Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- how to stop these UDP TCP alerts? Clayton Mascarenhas (Sep 22)
- Re: how to stop these UDP TCP alerts? Erek Adams (Sep 23)
- Re: how to stop these UDP TCP alerts? jlarsson (Sep 24)
- Re: how to stop these UDP TCP alerts? Erek Adams (Sep 24)
- Re: how to stop these UDP TCP alerts? jlarsson (Sep 24)
- Re: how to stop these UDP TCP alerts? Phil Wood (Sep 25)
- Re: how to stop these UDP TCP alerts? jlarsson (Sep 24)
- Re: how to stop these UDP TCP alerts? Erek Adams (Sep 23)