Snort mailing list archives
RE: bug in snort 2.0.1?
From: "Luo, Philip" <Philip_Luo () adp com>
Date: Thu, 7 Aug 2003 14:47:07 -0400
Here is the actual alert. [**] [116:97:1] (snort_decoder): Short UDP packet, length field > payload length [**] 08/07-14:22:29.786200 10.1.187.106:0 -> 10.1.27.12:0 UDP TTL:128 TOS:0x0 ID:24027 IpLen:20 DgmLen:1675 Len: 1647 The IP length is 1675, the UDP length is 1655, but the payload length is none. I am using ibm token ring connection which also have many [**] [116:143:1] (snort_decoder) WARNING: Bad Token Ring MR Header! [**] 08/06-15:15:06.924570 Token Ring! MR Header? Philip -----Original Message----- From: Erek Adams [mailto:erek () snort org] Sent: Thursday, August 07, 2003 1:46 PM To: Luo, Philip Cc: 'snort-users () lists sourceforge net' Subject: Re: [Snort-users] bug in snort 2.0.1? On Thu, 7 Aug 2003, Luo, Philip wrote:
I am getting tons of these alerts like (snort_decoder): Short UDP packet, length field > payload length from desktops to domain controllers. It looks like a bug!
Ummmm.... Have you taken the time to look at the packet in question? The field length might actually be reported as bigger than the payload. Care to share a packet decode? Far be it for us to think that Microsoft might have done something Whacky like that... :) Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- bug in snort 2.0.1? Luo, Philip (Aug 07)
- Re: bug in snort 2.0.1? Erek Adams (Aug 07)
- Re: bug in snort 2.0.1? Andrew R. Baker (Aug 07)
- <Possible follow-ups>
- RE: bug in snort 2.0.1? Luo, Philip (Aug 07)
- RE: bug in snort 2.0.1? Erek Adams (Aug 09)