Dont discard truncated packets

[Felix Erlacher <felix.erlacher () uibk ac at>]

Hi all,

I have a pcap trace with one packet containing payload for a rule I want
to test. The packet is truncated. The rule does not trigger an alert.
I can see in the protocol statistics that one IPv4 packet is discarded.
As I only have one packet in the trace I assume it is discarded because
it is truncated.

Can I tell Snort to not discard truncated packets?

Or better, not to discard packets with "basic encoding integrity flaws"
as the manual calls it.
I tried various preproc options from the manual, always with the result
of truncated packets being discarded.
While I am aware that having Snort analyze truncated packets might not
be the best of ideas, it would be helpful in various test scenarios.

BTW: I am using the "-k none" switch, so this problem shouldn't be
caused by checksum errors.

greets
-- 
Felix Erlacher

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!