Snort mailing list archives
pcap_loop: bogus savefile header
From: Vincent Chen <vctw () yahoo com>
Date: Fri, 29 Mar 2002 23:39:06 -0800 (PST)
Dear all, I run snort for a while and found that packet log file will be corrupted after oversized fragment received. After I got the following alert: [**] [113:1:1] spp_frag2: Oversized fragment, probable DoS [**] 10/05-16:38:14.3633994403197.230.54.72 -> 124.152.42.136 PROTO068 TTL:25 TOS:0x2B ID:33962 IpLen:52 DgmLen:14733 RB DF IP Options (1) => Opt 57: 5423 E63D A0D6 89A3 7C1A 273D EE90 2614 322C 6770 3979 8054 E680 62F9 892E 4783 7AFE EAD1 0C0B 73C9 Frag Offset: 0x041CAD Frag Size: 0x3959 The packet log file will grow to several mega byte. If trying to read it, I got: . . . pcap_loop: bogus savefile header =============================================================================== Snort processed 51 packets. Breakdown by protocol: Action Stats: TCP: 51 (100.000%) ALERTS: 0 UDP: 0 (0.000%) LOGGED: 0 ICMP: 0 (0.000%) PASSED: 0 ARP: 0 (0.000%) IPv6: 0 (0.000%) IPX: 0 (0.000%) OTHER: 0 (0.000%) =============================================================================== . . . It's a Dos to me, not just probable. Is there any solution for this? Thanks for your help, Vincent Chen __________________________________________________ Do You Yahoo!? Yahoo! Greetings - send holiday greetings for Easter, Passover http://greetings.yahoo.com/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- pcap_loop: bogus savefile header Vincent Chen (Apr 02)