Snort mailing list archives
Dont discard truncated packets
From: Felix Erlacher <felix.erlacher () uibk ac at>
Date: Thu, 26 Jan 2017 20:04:22 +0100
Hi all, I have a pcap trace with one packet containing payload for a rule I want to test. The packet is truncated. The rule does not trigger an alert. I can see in the protocol statistics that one IPv4 packet is discarded. As I only have one packet in the trace I assume it is discarded because it is truncated. Can I tell Snort to not discard truncated packets? Or better, not to discard packets with "basic encoding integrity flaws" as the manual calls it. I tried various preproc options from the manual, always with the result of truncated packets being discarded. While I am aware that having Snort analyze truncated packets might not be the best of ideas, it would be helpful in various test scenarios. BTW: I am using the "-k none" switch, so this problem shouldn't be caused by checksum errors. greets -- Felix Erlacher
Attachment:
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Dont discard truncated packets Felix Erlacher (Jan 26)
- Re: Dont discard truncated packets Felix Erlacher (Jan 27)