Snort mailing list archives
Bad Protocol?
From: "Mike Koponick" <mike () redhawk info>
Date: Sun, 5 Jan 2003 09:30:20 -0800
Now that I have decent loggin working, I'm getting some messages that appear
to be normal packets, but SNORT seems to think that something is wrong with
them. I think it might be a rule problem.. has anyone else seen this?
01/05-17:33:24.184929 [**] [118:1:1] (spp_conversation) Bad IP protocol!
[**] {UDP} 192.168.xx.xx:514 -> 192.168.xx.xx:514
Obviously, this is a SYSLOG message, which we do have a node on the network
logging to the snort box for syslog parsing.
This is what the packet looks like:
[**] (spp_conversation) Bad IP protocol! [**]
01/04-15:56:38.598158 192.168.xx.xx:514 -> 192.168.xx.xx:514
UDP TTL:255 TOS:0x0 ID:46088 IpLen:20 DgmLen:171
Thanks in advance for your help.
Mike
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- flexresp and libnet Hauser Marcel (Jan 03)
- Re: flexresp and libnet James-lists (Jan 04)
- Snort not logging.... Mike Koponick (Jan 04)
- Re: Snort not logging.... Andrew R. Baker (Jan 04)
- RE: Snort not logging.... Mike Koponick (Jan 05)
- Bad Protocol? Mike Koponick (Jan 05)
- Re: Bad Protocol? J Irving (Jan 05)
- Snort not logging.... Mike Koponick (Jan 04)
- Re: flexresp and libnet James-lists (Jan 04)