Snort mailing list archives
Re: novice question: logs
From: John Sage <jsage () finchhaven com>
Date: Fri, 11 Jan 2002 22:11:32 -0800
Justin:You don't say what version snort/what OS platform you're running (which can sometimes be helpful..) but the only place I find the string "ICMP Unreachable IP short header" anywhere in the files of snort 1.8.2 build 86 on Linux is within decode.c
I am not in the least qualified to explain what decode.c is doing in any detail, so I won't start, but what's happened (I beleive) is that you have received an ICMP type 3 unreachable response (unreachable what? there's a lot: host, network, port probably being the most common..) to a packet that your system has sent out, and that response packet contains a zero-length IP header.
IP headers are expected to be at least 20 bytes; IP options and optional data can make them bigger, but 20 bytes is to be expected...
The "ID 702911 daemon.error" has me a little puzzled."daemon.error" is from the klogd/syslogd logging process, and is facility.priority
"ID 702911" shows up on a bazillion Google search hits, but none of them explain **what** its significance is...
(one post call it a process ID, but I don't think so: it's six digits... I couldn't grep for either ID 702911 or 702911 anywhere on my system..)
Anyway, HTH a little.. - John -- Computers: they're really nothing but l's and O's Justin Ferguson wrote:
Hi, I have some logs on my hands and im not quite sure exactly what its trying to tell me:Jan 11 03:58:59 snarfer snort[2478]: [ID 702911 daemon.error] ICMP Unreachable IP short header (0 bytes)Jan 11 05:49:24 snarfer last message repeated 1 timeJan 11 06:27:10 snarfer snort[2478]: [ID 702911 daemon.error] ICMP Unreachable IP short header (0 bytes)I understand what the protocols are, but that error tells me little, is this a packet it recieved? did it get unreachable trying to contact someone? If someone could explain briefly whats happening I would appreciate it alot, thank youj. ferguson
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- novice question: logs Justin Ferguson (Jan 11)
- signature and update Ganu Skop (Jan 11)
- Re: novice question: logs John Sage (Jan 11)
- Re: novice question: logs Erek Adams (Jan 12)
- Re: novice question: logs John Sage (Jan 12)
- Re: novice question: logs Erek Adams (Jan 12)