Snort mailing list archives
Unknown datagram decoding problem
From: "Secureplay" <secureplay () sbcglobal net>
Date: Sun, 26 Oct 2003 01:24:27 -0600
Can someone explain to me the "Unknown datagram decoding problem" event? Is the problem with the decoding or with the fact that the datagram is "unknown"? Here's what I'm seeing: I logged about six of these. Both source and destination addresses are valid addresses and the machines are up. IP -- source addr | dest addr | Ver | Hdr Len |TOS | length | X.x.x.x | y.y.y.y | 4 | 5 | 0 | 29 | | ID | flags | offset | TTL | chksum | 26557 | 0 | 0 | 127 | 45539 Options: none ICMP ---- type | code | checksum (3) Destination Unreachable | (3) Port Unreachable | 47100 Payload ------- length = 5 000 : 00 00 00 00 45 ....E Protocol: IP, org source ip: 0.0.0.0, org source port: 0, org.destination ip: 0, org.destination The strange thing is, even though it says that it's a problem with decoding this packet, if I click on the snort description for the event (I'm using ACID), it shows me description for sid 108, "BACKDOOR QAZ Worm Client Login access". ------------------------------------------------------- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Unknown datagram decoding problem Secureplay (Oct 26)