RE: bug in snort 2.0.1?

["Luo, Philip" <Philip_Luo () adp com>]

Here is the actual alert.

[**] [116:97:1] (snort_decoder): Short UDP packet, length field > payload
length [**]
08/07-14:22:29.786200 10.1.187.106:0 -> 10.1.27.12:0
UDP TTL:128 TOS:0x0 ID:24027 IpLen:20 DgmLen:1675
Len: 1647

The IP length is 1675, the UDP length is 1655, but the payload length is
none.

I am using ibm token ring connection which also have many 
[**] [116:143:1] (snort_decoder) WARNING: Bad Token Ring MR Header! [**]
08/06-15:15:06.924570

Token Ring! MR Header?

Philip

-----Original Message-----
From: Erek Adams [mailto:erek () snort org] 
Sent: Thursday, August 07, 2003 1:46 PM
To: Luo, Philip
Cc: 'snort-users () lists sourceforge net'
Subject: Re: [Snort-users] bug in snort 2.0.1?

On Thu, 7 Aug 2003, Luo, Philip wrote:

> I am getting tons of these alerts like
>
> (snort_decoder): Short UDP packet, length field > payload length
>
> from desktops to domain controllers. It looks like a bug!

Ummmm....  Have you taken the time to look at the packet in question?  The
field length might actually be reported as bigger than the payload.  Care
to share a packet decode?  Far be it for us to think that Microsoft might
have done something Whacky like that...  :)

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson



-------------------------------------------------------
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users