Snort mailing list archives
Re: why UDP disc acquire?
From: Andrey Kiryukhin <andrei_1980 () mail ru>
Date: Sat, 25 Jun 2016 12:01:58 +0300
Why you think that udp packet malformed? Tools like wireshark, tcpdump and tcpreplay handle it correctly. This packets have only wrong checksum, but i disable checksum control in Snort by using option "-k none". 24.06.2016 19:05, Al Lewis (allewi) пишет:
It looks like snort is discarding them because they are all malformed. *Albert Lewis* QA SNORT/Sourcefire SOURCE*fire*, Inc. now part of *Cisco* 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com <mailto:allewi () cisco com> From: Andrei_1980 <andrei_1980 () mail ru <mailto:andrei_1980 () mail ru>> Date: Friday, June 24, 2016 at 11:28 AM To: allewi <allewi () cisco com <mailto:allewi () cisco com>>, 'snort-users' <snort-users () lists sourceforge net <mailto:snort-users () lists sourceforge net>> Subject: Re: [Snort-users] why UDP disc acquire? hmm, strange. I,m attach pcap to first message. Ok reatach to this message. On 24.06.2016 18:22, Al Lewis (allewi) wrote:Hello, Can you provide us with the pcap or a sample of it? *Albert Lewis* QA SNORT/Sourcefire SOURCE*fire*, Inc. now part of *Cisco* 9780 Patuxent Woods Drive Columbia, MD 21046 Phone: (office) 443.430.7112 Email: allewi () cisco com From: Andrei_1980 <andrei_1980 () mail ru> Date: Friday, June 24, 2016 at 11:06 AM To: 'snort-users' <snort-users () lists sourceforge net> Subject: [Snort-users] why UDP disc acquire? Hi all. I use snort 2.9.8.2 A have some pcap file for old attack (see attach) . It contain only udp packets. I wrote test rule: alert udp any 500 -> any 500 (msg:"DOS Nbisakmp"; classtype: attempted-dos; sid:1000001; rev:1;) and run snort: snort -c ./etc/snort.conf -A console -K none -k none -r ./pcaps/DOS_Nbisakmp.pcap and get no alerts. In output stats i have: ........... Packet I/O Totals: Received: 100 Analyzed: 100 (100.000%) Dropped: 0 ( 0.000%) Filtered: 0 ( 0.000%) Outstanding: 0 ( 0.000%) Injected: 0 ..................... Breakdown by protocol (includes rebuilt packets): Eth: 100 (100.000%) VLAN: 0 ( 0.000%) IP4: 100 (100.000%) Frag: 0 ( 0.000%) ICMP: 0 ( 0.000%) UDP: 100 (100.000%) ................... * UDP Disc: 100 (100.000%)* ICMP Disc: 0 ( 0.000%) All Discard: 100 (100.000%) (full output and snort.conf see in attach) If i change rule (udp to ip) : alert *ip* any 500 -> any 500 (msg:"DOS Nbisakmp"; classtype: attempted-dos; sid:1000001; rev:1;) all packets generate alerts. So, why UDP packets in sample pcap discarded if i use udp protocol in alert?
------------------------------------------------------------------------------ Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San Francisco, CA to explore cutting-edge tech and listen to tech luminaries present their vision of the future. This family event has something for everyone, including kids. Get more information and register today. http://sdm.link/attshape
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- why UDP disc acquire? Andrey Kiryukhin (Jun 24)
- Re: why UDP disc acquire? Al Lewis (allewi) (Jun 24)
- Re: why UDP disc acquire? Andrey Kiryukhin (Jun 24)
- Re: why UDP disc acquire? Al Lewis (allewi) (Jun 24)
- Re: why UDP disc acquire? Andrey Kiryukhin (Jun 25)
- Re: why UDP disc acquire? wkitty42 (Jun 25)
- Re: why UDP disc acquire? Andrey Kiryukhin (Jun 25)
- Re: why UDP disc acquire? Al Lewis (allewi) (Jun 25)
- Re: why UDP disc acquire? Al Lewis (allewi) (Jun 25)
- Re: why UDP disc acquire? Andrey Kiryukhin (Jun 24)
- Re: why UDP disc acquire? Al Lewis (allewi) (Jun 24)