Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: how to stop these UDP TCP alerts?

From: Erek Adams <erek () snort org>
Date: Tue, 23 Sep 2003 06:42:13 -0400 (EDT)
On Mon, 22 Sep 2003, Clayton Mascarenhas wrote:


I know this question has been asked before, but I cannot find the answer
to this. I have really searched google and the mailing list but still
cant find the answer to this question.

Could I please know how to stop snort 2.0.2 from generating the
following alerts...

[**] (snort_decoder): Short UDP packet, length field > payload length
[**] 01/29-01:00:18.399475 132.x.x.x:0 -> 132.x.x.x:0 UDP TTL:128
TOS:0x0 ID:15667 IpLen:20 DgmLen:161Len: 133

[**] (snort_decoder) WARNING: TCP Header length exceeds packet length!
[**]01/29-01:00:09.082724 132.x.x.x:0 -> 132.x.x.x:0 TCP TTL:60 TOS:0x0
ID:57434 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x21676561 Ack: 0xCECE0987
Win: 0xC036 TcpLen: 32

I am getting a million of these alerts. I dont think there is any snort
rule to this. Am I correct?


They are from the 'snort_decoder', not from a rule.

To stop them you'll have to either use a BPF filter to ignore the hosts,
or turn off the TCP checks in the snort.conf (there's a whole section on
it).

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: