Snort mailing list archives

Re: copious (snort_decoder) WARNING: Not IPv4 datagram!

From: Geoff <gpoer () arizona edu>
Date: Mon, 27 Oct 2003 21:43:02 -0700

Are you doing any V3pn... I saw some strange snort logs like this when we didsome VPN testing. Other wise, it looks like a fragmented packet with the DF flagset and some strange TOS settings (strange like not possible). But you havepeeked my curiosity can you get a packet capture? What version of snort are yourunning and on what OS?


Geoff

Ernie Lim wrote:

Maybe these might help...  and would there be any other info that I can
provide??

[**] (snort_decoder) WARNING: Not IPv4 datagram! [**]
10/27-22:02:19.044913 204.152.189.116:0 -> 2.0.0.22:0
TCP TTL:57 TOS:0xE7 ID:27057 IpLen:8 DgmLen:1492 DF

[**] (snort_decoder) WARNING: Not IPv4 datagram! [**]
10/27-22:02:27.255180 204.152.189.116:0 -> 2.0.0.22:0
TCP TTL:57 TOS:0x37 ID:50784 IpLen:24 DgmLen:1492 DF

[**] (snort_decoder) WARNING: Not IPv4 datagram! [**]
10/27-22:03:10.219730 204.152.189.116:0 -> 2.0.0.22:0
TCP TTL:57 TOS:0x43 ID:51284 IpLen:16 DgmLen:1492 DF




-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Ernie Lim
Sent: Monday, October 27, 2003 5:19 PM
To: snort-users () lists sourceforge net

Hi

I installed snort on one of my firewall machines and have been getting large

amounts of "(snort_decoder) WARNING: Not IPv4 datagram!" events.

The firewall machine has an interface on my trusted network and an interface
on the DMZ network. Snort is listening on the DMZ interface. There is router
on the DMZ network that goes out to the internet. This router NATs
everything from behind the DMZ (including the packets sent to it from the
trusted net via the firewall box in question). One other thing to note is
that the firewall box also NATs the traffic from the trusted net to the DMZ.
So if a client on the trusted net wants to talk to the internet, the packets
effectively get NAT'ed twice -- at the firewall and then at the router. I
suspect the above configuration maybe confusing snort??

I only get these errors when there is a significant amount of traffic. For
instance, when I dl a full kernel source from kernel.org, I'll get about 7
of the errors. Iam also getting some of these too (though not nearly as
much):

(snort_decoder): Truncated Ipv4 Options
(snort_decoder) WARNING: TCP Data Offset is less than 5!

Casual surfing doesn't usually trigger it but any significant download will.

Any insights greatly appreciated.

Regards,
Ernie.




-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list



-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list




-------------------------------------------------------
This SF.net email is sponsored by: The SF.net Donation Program.
Do you like what SourceForge.net is doing for the Open
Source Community?  Make a contribution, and help us add new
features and functionality. Click here: http://sourceforge.net/donate/
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Dropping packets why? Elijah Savage (Oct 25)
- Message not available
  - Re: Dropping packets why? Matt Kettler (Oct 27)
- Re: Dropping packets why? Edin Dizdarevic (Oct 27)
- <Possible follow-ups>
- RE: Dropping packets why? O'Flynn, Derek (Oct 27)
  - Re: Dropping packets why? Michael Sierchio (Oct 27)
    - copious (snort_decoder) WARNING: Not IPv4 datagram! Ernie Lim (Oct 27)
    - RE: copious (snort_decoder) WARNING: Not IPv4 datagram! Ernie Lim (Oct 27)
    - Re: copious (snort_decoder) WARNING: Not IPv4 datagram! Geoff (Oct 27)
- RE: Dropping packets why? Elijah Savage (Oct 27)
  - Message not available
    - RE: Dropping packets why? Matt Kettler (Oct 27)
  - RE: Dropping packets why? Paul Schmehl (Oct 27)
- RE: Dropping packets why? Elijah Savage (Oct 27)
- RE: Dropping packets why? Elijah Savage (Oct 27)
- RE: Dropping packets why? Elijah Savage (Oct 27)