Snort mailing list archives
RE: bug in snort 2.0.1?
From: Erek Adams <erek () snort org>
Date: Sat, 9 Aug 2003 23:33:25 -0400 (EDT)
[Sorry for the delay, but I had to do some RTFM'ing] On Thu, 7 Aug 2003, Luo, Philip wrote:
Here is the actual alert. [**] [116:97:1] (snort_decoder): Short UDP packet, length field > payload length [**] 08/07-14:22:29.786200 10.1.187.106:0 -> 10.1.27.12:0 UDP TTL:128 TOS:0x0 ID:24027 IpLen:20 DgmLen:1675 Len: 1647 The IP length is 1675, the UDP length is 1655, but the payload length is none.
Ok, from that packet you'll see that alert. 1675 > 0 :)
I am using ibm token ring connection which also have many [**] [116:143:1] (snort_decoder) WARNING: Bad Token Ring MR Header! [**] 08/06-15:15:06.924570 Token Ring! MR Header?
Ok, this one took some research since I know nothing about Token Ring. According to RFC 1042, Token Ring has a "Multi Ring" header. Looking at the code in src/decode.c lines 623 - 636 (current CVS), from what I can tell, the reason that this alert is firing is that the length of the capture is longer than the token ring header length, then fire the alert. Here's the section of code that deals with it. 623 if(cap_len < (sizeof(Trh_hdr) + sizeof(Trh_llc) + sizeof(Trh_mr) 623 )) 624 { 625 if(pv.verbose_flag) 626 ErrorMessage("Captured data length < Token Ring header l 626 ength! " 627 "(%d < %d bytes)\n", cap_len, 628 (sizeof(Trh_hdr) + sizeof(Trh_llc) + sizeof 628 (Trh_mr))); 629 630 if((runMode == MODE_IDS) && pv.decoder_flags.decode_alerts) 631 { 632 SetEvent(&event, GENERATOR_SNORT_DECODE, 633 DECODE_BAD_TRHMR, 1, DECODE_CLASS, 5, 0); 634 CallAlertFuncs(p, DECODE_BAD_TRHMR_STR, NULL, &event); 635 CallLogFuncs(p, DECODE_BAD_TRHMR_STR, NULL, &event); 636 } So basically, it's the same thing. Packet size == What it should be. Are you sure you don't have some NICs doing something odd or traffic that's a bit strange? If you could get a pcap of this in parallel with the snort alerts, that would really help. Make sure that the snaplen is "maxed" out. Set snaplen to 0. tcpdump -s 0 <options> Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- bug in snort 2.0.1? Luo, Philip (Aug 07)
- Re: bug in snort 2.0.1? Erek Adams (Aug 07)
- Re: bug in snort 2.0.1? Andrew R. Baker (Aug 07)
- <Possible follow-ups>
- RE: bug in snort 2.0.1? Luo, Philip (Aug 07)
- RE: bug in snort 2.0.1? Erek Adams (Aug 09)