Snort mailing list archives

Re: Snort v2.9.14.0 Issues - (snort_decoder) WARNING: Not IPv4 datagram

From: Ron Jenkins via Snort-users <snort-users () lists snort org>
Date: Wed, 24 Jul 2019 17:08:04 +0000

Ubuntu Server v18.04 is the only two servers I tested internal.  These two sensors are processing low volume traffic.

Note

  *   When starting the Snort IDS process it will state Decoding Loopback then something next about data link not 
implemented yet at the end.  When starting v2.9.13, this is not seen and it states decoding Ethernet



From: Kaushal Bhandankar (kbhandan) <kbhandan () cisco com>
Sent: Wednesday, July 24, 2019 11:48 AM
To: Ron Jenkins <ron.jenkins () rmjconsulting net>; Al Lewis (allewi) <allewi () cisco com>
Cc: snort-users () lists snort org
Subject: RE: [Snort-users] Snort v2.9.14.0 Issues - (snort_decoder) WARNING: Not IPv4 datagram

Hi Ron,
Sorry to hear about the issue you are facing. Can you let us know the OS, flavor on which you are testing this ?
Do you see this behavior with only high amount of traffic or even with a single packet ?

Regards,
Kaushal

From: Snort-users <snort-users-bounces () lists snort org<mailto:snort-users-bounces () lists snort org>> On Behalf Of 
Ron Jenkins via Snort-users
Sent: Wednesday, July 24, 2019 7:51 PM
To: Al Lewis (allewi) <allewi () cisco com<mailto:allewi () cisco com>>; 'snort-users () lists snort org' <snort-users 
() lists snort org<mailto:snort-users () lists snort org>>
Subject: Re: [Snort-users] Snort v2.9.14.0 Issues - (snort_decoder) WARNING: Not IPv4 datagram

I confirmed that traffic is seen on the interface via tcpdump and Snort shows all seen IP4 traffic 100% discarded.  
Uninstalled Snort v2.9.14 from both sensors and reinstalled v2.9.13; all works fine with v2.9.13.


Thanks!

From: Al Lewis (allewi) <allewi () cisco com<mailto:allewi () cisco com>>
Sent: Wednesday, July 24, 2019 9:09 AM
To: Ron Jenkins <ron.jenkins () rmjconsulting net<mailto:ron.jenkins () rmjconsulting net>>; 'snort-users () lists 
snort org' <snort-users () lists snort org<mailto:snort-users () lists snort org>>
Subject: Re: [Snort-users] Snort v2.9.14.0 Issues - (snort_decoder) WARNING: Not IPv4 datagram

Have you been able to analyze the traffic and confirm its valid? Do you have a copy of the traffic you can share?

Albert Lewis
ENGINEER.SOFTWARE ENGINEERING
Cisco Systems Inc.
Email: allewi () cisco com<mailto:allewi () cisco com>



From: Snort-users <snort-users-bounces () lists snort org<mailto:snort-users-bounces () lists snort org>> on behalf of 
Ron Jenkins via Snort-users <snort-users () lists snort org<mailto:snort-users () lists snort org>>
Reply-To: Ron Jenkins <ron.jenkins () rmjconsulting net<mailto:ron.jenkins () rmjconsulting net>>
Date: Wednesday, July 24, 2019 at 10:07 AM
To: "'snort-users () lists snort org'" <snort-users () lists snort org<mailto:snort-users () lists snort org>>
Subject: [Snort-users] Snort v2.9.14.0 Issues - (snort_decoder) WARNING: Not IPv4 datagram

Good morning;

Is anyone experiencing issues with the latest version dropping all IP4 packets stating; (snort_decoder) WARNING: Not 
IPv4 datagram.

Worked perfectly when v2.9.13 was running on the same computer.


Thank you!

Ron Jenkins (Owner / Senior Architect)
RMJ Consulting, LLC. " Supporting Companies with their Technology needs"
11715 Bricksome Ave STE B-7
Baton Rouge, LA 70816
Direct. 225-448-5214 Ext #101
Cell. 225-931-1632
Web. http://www.rmjconsulting.net<http://www.rmjconsulting.net/>
Log Siphon. http://www.logsiphon.com<http://www.logsiphon.com/>
Linkedin. www.linkedin.com/in/ronmjenkins/<http://www.linkedin.com/in/ronmjenkins/>
Twitter: www.twitter.com/RMJConsulting<http://www.twitter.com/RMJConsulting>
Facebook: www.facebook.com/rmjcsconsulting<http://www.facebook.com/rmjcsconsulting>
RMJ Consulting’s Technology Corner. https://www.rmjconsulting.net/main/paper.php


PRIVILEGED & CONFIDENTIAL COMMUNICATION:
The information contained in this transmission may be privileged, confidential, and exempt from disclosure under 
applicable law. It is intended only for the use of the intended recipient. If you are not the intended recipient, you 
are hereby on notice that any unauthorized disclosure, dissemination, distribution, duplication, or taking any action 
in reliance on the contents of the electronically transmitted materials or contents of this communication is strictly 
prohibited. If you have received this communication in error, please contact the sender by reply e-mail and destroy all 
copies of the original message.

PRIVILEGED & CONFIDENTIAL COMMUNICATION:
The information contained in this transmission may be privileged, confidential, and exempt from disclosure under 
applicable law. It is intended only for the use of the intended recipient. If you are not the intended recipient, you 
are hereby on notice that any unauthorized disclosure, dissemination, distribution, duplication, or taking any action 
in reliance on the contents of the electronically transmitted materials or contents of this communication is strictly 
prohibited. If you have received this communication in error, please contact the sender by reply e-mail and destroy all 
copies of the original message.
PRIVILEGED & CONFIDENTIAL COMMUNICATION:
The information contained in this transmission may be privileged, confidential, and exempt from disclosure under 
applicable law. It is intended only for the use of the intended recipient. If you are not the intended recipient, you 
are hereby on notice that any unauthorized disclosure, dissemination, distribution, duplication, or taking any action 
in reliance on the contents of the electronically transmitted materials or contents of this communication is strictly 
prohibited. If you have received this communication in error, please contact the sender by reply e-mail and destroy all 
copies of the original message.

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Current thread:

Re: Snort v2.9.14.0 Issues - (snort_decoder) WARNING: Not IPv4 datagram, (continued)
- - - Re: Snort v2.9.14.0 Issues - (snort_decoder) WARNING: Not IPv4 datagram Роман Голубенко via Snort-users (Jul 25)
  - Re: Snort v2.9.14.0 Issues - (snort_decoder) WARNING: Not IPv4 datagram Dorian ROSSE via Snort-users (Jul 25)
    - Re: Snort v2.9.14.0 Issues - (snort_decoder) WARNING: Not IPv4 datagram Ron Jenkins via Snort-users (Jul 25)
    - Re: Snort v2.9.14.0 Issues - (snort_decoder) WARNING: Not IPv4 datagram Dorian ROSSE via Snort-users (Jul 25)
    - Re: Snort v2.9.14.0 Issues - (snort_decoder) WARNING: Not IPv4 datagram Ron Jenkins via Snort-users (Jul 25)
    - Re: Snort v2.9.14.0 Issues - (snort_decoder) WARNING: Not IPv4 datagram Michael Steele (Jul 25)
- Snort v2.9.14.0 Issues - (snort_decoder) WARNING: Not IPv4 datagram Ron Jenkins via Snort-devel (Jul 24)
- Re: Snort v2.9.14.0 Issues - (snort_decoder) WARNING: Not IPv4 datagram Al Lewis (allewi) via Snort-users (Jul 24)
  - Re: Snort v2.9.14.0 Issues - (snort_decoder) WARNING: Not IPv4 datagram Ron Jenkins via Snort-users (Jul 24)
    - Re: Snort v2.9.14.0 Issues - (snort_decoder) WARNING: Not IPv4 datagram Kaushal Bhandankar (kbhandan) via Snort-users (Jul 24)
    - Re: Snort v2.9.14.0 Issues - (snort_decoder) WARNING: Not IPv4 datagram Ron Jenkins via Snort-users (Jul 24)