Snort mailing list archives
RE: copious (snort_decoder) WARNING: Not IPv4 datagram!
From: "Ernie Lim" <snort () itmm ca>
Date: Mon, 27 Oct 2003 22:06:47 -0500
Maybe these might help... and would there be any other info that I can provide?? [**] (snort_decoder) WARNING: Not IPv4 datagram! [**] 10/27-22:02:19.044913 204.152.189.116:0 -> 2.0.0.22:0 TCP TTL:57 TOS:0xE7 ID:27057 IpLen:8 DgmLen:1492 DF [**] (snort_decoder) WARNING: Not IPv4 datagram! [**] 10/27-22:02:27.255180 204.152.189.116:0 -> 2.0.0.22:0 TCP TTL:57 TOS:0x37 ID:50784 IpLen:24 DgmLen:1492 DF [**] (snort_decoder) WARNING: Not IPv4 datagram! [**] 10/27-22:03:10.219730 204.152.189.116:0 -> 2.0.0.22:0 TCP TTL:57 TOS:0x43 ID:51284 IpLen:16 DgmLen:1492 DF -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Ernie Lim Sent: Monday, October 27, 2003 5:19 PM To: snort-users () lists sourceforge net Hi I installed snort on one of my firewall machines and have been getting large amounts of "(snort_decoder) WARNING: Not IPv4 datagram!" events. The firewall machine has an interface on my trusted network and an interface on the DMZ network. Snort is listening on the DMZ interface. There is router on the DMZ network that goes out to the internet. This router NATs everything from behind the DMZ (including the packets sent to it from the trusted net via the firewall box in question). One other thing to note is that the firewall box also NATs the traffic from the trusted net to the DMZ. So if a client on the trusted net wants to talk to the internet, the packets effectively get NAT'ed twice -- at the firewall and then at the router. I suspect the above configuration maybe confusing snort?? I only get these errors when there is a significant amount of traffic. For instance, when I dl a full kernel source from kernel.org, I'll get about 7 of the errors. Iam also getting some of these too (though not nearly as much): (snort_decoder): Truncated Ipv4 Options (snort_decoder) WARNING: TCP Data Offset is less than 5! Casual surfing doesn't usually trigger it but any significant download will. Any insights greatly appreciated. Regards, Ernie. ------------------------------------------------------- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list ------------------------------------------------------- This SF.net email is sponsored by: The SF.net Donation Program. Do you like what SourceForge.net is doing for the Open Source Community? Make a contribution, and help us add new features and functionality. Click here: http://sourceforge.net/donate/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Dropping packets why? Elijah Savage (Oct 25)
- Message not available
- Re: Dropping packets why? Matt Kettler (Oct 27)
- Message not available
- Re: Dropping packets why? Edin Dizdarevic (Oct 27)
- <Possible follow-ups>
- RE: Dropping packets why? O'Flynn, Derek (Oct 27)
- Re: Dropping packets why? Michael Sierchio (Oct 27)
- copious (snort_decoder) WARNING: Not IPv4 datagram! Ernie Lim (Oct 27)
- RE: copious (snort_decoder) WARNING: Not IPv4 datagram! Ernie Lim (Oct 27)
- Re: copious (snort_decoder) WARNING: Not IPv4 datagram! Geoff (Oct 27)
- Re: Dropping packets why? Michael Sierchio (Oct 27)
- Message not available
- RE: Dropping packets why? Matt Kettler (Oct 27)