Snort mailing list archives
RE: Logs in Messages
From: "Paul Melson" <pmelson () gmail com>
Date: Mon, 11 Jul 2005 14:27:55 -0400
It means that your sensor saw packets that had 8 more bytes than were specified in the LEN field of the IP header. It's not necessarily indicative of an attack, just traffic that shouldn't be. It may be a misconfigured router or host, or it could be an attack. Time to break out tcpdump and figure out what's going on. PaulM -----Original Message----- Subject: [Snort-users] Logs in Messages Hello again: Anyone know what this logs means? Thanks for any hint Xavier C. Jul 5 20:09:36 spark snort: IP Len field is 8 bytes smaller than captured length. (ip.len: 96, cap.len: 104) Jul 5 20:09:36 spark snort: IP Len field is 8 bytes smaller than captured length. (ip.len: 96, cap.len: 104) Jul 5 20:09:36 spark snort: IP Len field is 6 bytes smaller than captured length. (ip.len: 40, cap.len: 46) Jul 5 20:09:36 spark snort: IP Len field is 6 bytes smaller than captured length. (ip.len: 40, cap.len: 46) Jul 5 20:09:36 spark snort: IP Len field is 8 bytes smaller than captured length. (ip.len: 112, cap.len: 120) Jul 5 20:09:36 spark snort: IP Len field is 6 bytes smaller than captured length. (ip.len: 40, cap.len: 46) Jul 5 20:09:37 spark last message repeated 38 times Jul 5 20:09:37 spark snort: IP Len field is 8 bytes smaller than captured length. (ip.len: 96, cap.len: 104) Jul 5 20:09:37 spark snort: IP Len field is 6 bytes smaller than captured length. (ip.len: 40, cap.len: 46) Jul 5 20:09:37 spark last message repeated 20 times Jul 5 20:09:37 spark snort: IP Len field is 8 bytes smaller than captured length. (ip.len: 112, cap.len: 120) Jul 5 20:09:37 spark snort: IP Len field is 6 bytes smaller than captured length. (ip.len: 40, cap.len: 46) Jul 5 20:09:38 spark last message repeated 33 times Jul 5 20:09:38 spark snort: IP Len field is 8 bytes smaller than captured length. (ip.len: 96, cap.len: 104) Jul 5 20:09:38 spark snort: IP Len field is 8 bytes smaller than captured length. (ip.len: 96, cap.len: 104) Jul 5 20:09:38 spark snort: IP Len field is 6 bytes smaller than captured length. (ip.len: 40, cap.len: 46) Jul 5 20:09:38 spark last message repeated 8 times Jul 5 20:09:38 spark snort: IP Len field is 8 bytes smaller than captured length. (ip.len: 112, cap.len: 120) Jul 5 20:09:38 spark snort: IP Len field is 6 bytes smaller than captured length. (ip.len: 40, cap.len: 46) Jul 5 20:09:38 spark last message repeated 6 times Jul 5 20:09:39 spark snort: IP Len field is 17 bytes smaller than captured length. (ip.len: 29, cap.len: 46) Jul 5 20:09:39 spark snort: IP Len field is 6 bytes smaller than captured length. (ip.len: 40, cap.len: 46) ------------------------------------------------------- This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Optimizing Snort, MySQL & BASE installation Affan Basalamah (Jul 04)
- Re: Optimizing Snort, MySQL & BASE installation Gary Richardson (Jul 04)
- Re: Optimizing Snort, MySQL & BASE installation Michael Stone (Jul 04)
- Re: Optimizing Snort, MySQL & BASE installation Kevin Johnson (Jul 04)
- Re: Optimizing Snort, MySQL & BASE installation Michael Stone (Jul 04)
- Logs in Messages Xavier Cabrera (Jul 05)
- RE: Logs in Messages Paul Melson (Jul 11)
- Logs in Messages Xavier Cabrera (Jul 05)
- Re: Optimizing Snort, MySQL & BASE installation Gary Richardson (Jul 04)