Snort mailing list archives
Re: UDP alerts with sneeze
From: Russ Combs <rcombs () sourcefire com>
Date: Fri, 12 Mar 2010 06:31:41 -0500
Sriharsha, Snort is getting an IP:UDP packet with datagram length of 92 and a UDP length greater than 72. The packet should look like this, excluding any layer 2 stuff: [20 byte IP header] + [8 byte UDP header] + [64 byte UDP payload] The UDP length field includes the both header and payload lengths so it should be 64+8=72 but in fact it is something greater than that (maybe those 8 bytes are being counted twice?). Here is some partial tshark output of an example packet with UDP length of 73 which generates the alert you are getting: Internet Protocol, Src: 76.0.0.10 (76.0.0.10), Dst: 4.4.4.10 (4.4.4.10) Version: 4 Header length: 20 bytes Total Length: 92 Protocol: UDP (0x11) User Datagram Protocol, Src Port: 48620 (48620), Dst Port: 8 (8) Length: 73 (bogus, payload length 72) Data (64 bytes) Data: 313233343536373839303132333435363738393031323334... 0000 02 09 08 07 06 05 02 01 02 03 04 05 08 00 45 10 ..............E. 0010 00 5c 00 01 00 00 3f 11 27 69 4c 00 00 0a 04 04 .\....?.'iL..... 0020 04 0a bd ec 00 08 00 49 4c cc 31 32 33 34 35 36 .......IL.123456 0030 37 38 39 30 31 32 33 34 35 36 37 38 39 30 31 32 7890123456789012 0040 33 34 35 36 37 38 39 30 31 32 33 34 35 36 37 38 3456789012345678 0050 39 30 31 32 33 34 35 36 37 38 39 30 31 32 33 34 9012345678901234 0060 35 36 37 38 39 30 31 32 33 34 5678901234 Hope that helps. Russ On Fri, Mar 12, 2010 at 1:35 AM, sri harsha <harsha536 () gmail com> wrote:
Hi, I am using snort 2.8.5.2 version on linux machine. Using sneeze for attacks, I could see alerts generated for icmp rules as attacks. But, for UDP packets, I see the following alert messages. [116:97:1] (snort_decoder): Short UDP packet, length field > payload length [**] [Priority: 3] 03/12-06:17:32.840382 76.0.0.10:0 -> 4.4.4.10:0 UDP TTL:63 TOS:0x10 ID:0 IpLen:20 DgmLen:92 DF UDP header truncated What can be the reason for this? Thanks for any suggestion in advance. Thanks, Sriharsha ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- UDP alerts with sneeze sri harsha (Mar 11)
- Re: UDP alerts with sneeze Russ Combs (Mar 12)