Snort mailing list archives

pcap_loop: bogus savefile header

From: Vincent Chen <vctw () yahoo com>
Date: Fri, 29 Mar 2002 23:39:06 -0800 (PST)


Dear all,

I run snort for a while and found that packet log file
will be corrupted after oversized fragment received.

After I got the following alert:

[**] [113:1:1] spp_frag2: Oversized fragment, probable
DoS [**]
10/05-16:38:14.3633994403197.230.54.72 ->
124.152.42.136
PROTO068 TTL:25 TOS:0x2B ID:33962 IpLen:52
DgmLen:14733 RB DF
IP Options (1) => Opt 57: 5423 E63D A0D6 89A3 7C1A
273D EE90 2614 322C 6770 3979 8054 E680 62F9 892E 4783
7AFE EAD1 0C0B 73C9 
Frag Offset: 0x041CAD   Frag Size: 0x3959

The packet log file will grow to several mega byte. If
trying to read it, I got:

.
.
.

pcap_loop: bogus savefile header

===============================================================================

Snort processed 51 packets.
Breakdown by protocol:                Action Stats:

    TCP: 51         (100.000%)         ALERTS: 0      
  
    UDP: 0          (0.000%)          LOGGED: 0       
 
   ICMP: 0          (0.000%)          PASSED: 0       
 
    ARP: 0          (0.000%)
   IPv6: 0          (0.000%)
    IPX: 0          (0.000%)
  OTHER: 0          (0.000%)
===============================================================================

.
.
.

It's a Dos to me, not just probable. Is there any
solution for this?

Thanks for your help,

Vincent Chen





__________________________________________________
Do You Yahoo!?
Yahoo! Greetings - send holiday greetings for Easter, Passover
http://greetings.yahoo.com/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

pcap_loop: bogus savefile header Vincent Chen (Apr 02)