Snort mailing list archives

RE: Logs in Messages

From: "Paul Melson" <pmelson () gmail com>
Date: Mon, 11 Jul 2005 14:27:55 -0400

It means that your sensor saw packets that had 8 more bytes than were
specified in the LEN field of the IP header.  It's not necessarily
indicative of an attack, just traffic that shouldn't be.  It may be a
misconfigured router or host, or it could be an attack.  Time to break out
tcpdump and figure out what's going on. 

PaulM


-----Original Message-----
Subject: [Snort-users] Logs in Messages

Hello again:

Anyone know what this logs means?

Thanks for any hint
Xavier C.

Jul  5 20:09:36 spark snort: IP Len field is 8 bytes smaller than 
captured length.     (ip.len: 96, cap.len: 104)
Jul  5 20:09:36 spark snort: IP Len field is 8 bytes smaller than 
captured length.     (ip.len: 96, cap.len: 104)
Jul  5 20:09:36 spark snort: IP Len field is 6 bytes smaller than 
captured length.     (ip.len: 40, cap.len: 46)
Jul  5 20:09:36 spark snort: IP Len field is 6 bytes smaller than 
captured length.     (ip.len: 40, cap.len: 46)
Jul  5 20:09:36 spark snort: IP Len field is 8 bytes smaller than 
captured length.     (ip.len: 112, cap.len: 120)
Jul  5 20:09:36 spark snort: IP Len field is 6 bytes smaller than 
captured length.     (ip.len: 40, cap.len: 46)
Jul  5 20:09:37 spark last message repeated 38 times Jul  5 20:09:37 spark
snort: IP Len field is 8 bytes smaller than 
captured length.     (ip.len: 96, cap.len: 104)
Jul  5 20:09:37 spark snort: IP Len field is 6 bytes smaller than 
captured length.     (ip.len: 40, cap.len: 46)
Jul  5 20:09:37 spark last message repeated 20 times Jul  5 20:09:37 spark
snort: IP Len field is 8 bytes smaller than 
captured length.     (ip.len: 112, cap.len: 120)
Jul  5 20:09:37 spark snort: IP Len field is 6 bytes smaller than 
captured length.     (ip.len: 40, cap.len: 46)
Jul  5 20:09:38 spark last message repeated 33 times Jul  5 20:09:38 spark
snort: IP Len field is 8 bytes smaller than 
captured length.     (ip.len: 96, cap.len: 104)
Jul  5 20:09:38 spark snort: IP Len field is 8 bytes smaller than 
captured length.     (ip.len: 96, cap.len: 104)
Jul  5 20:09:38 spark snort: IP Len field is 6 bytes smaller than 
captured length.     (ip.len: 40, cap.len: 46)
Jul  5 20:09:38 spark last message repeated 8 times Jul  5 20:09:38 spark
snort: IP Len field is 8 bytes smaller than 
captured length.     (ip.len: 112, cap.len: 120)
Jul  5 20:09:38 spark snort: IP Len field is 6 bytes smaller than 
captured length.     (ip.len: 40, cap.len: 46)
Jul  5 20:09:38 spark last message repeated 6 times Jul  5 20:09:39 spark
snort: IP Len field is 17 bytes smaller than 
captured length.     (ip.len: 29, cap.len: 46)
Jul  5 20:09:39 spark snort: IP Len field is 6 bytes smaller than 
captured length.     (ip.len: 40, cap.len: 46)



-------------------------------------------------------
This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening
July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual
core and dual graphics technology at this free one hour event hosted by HP,
AMD, and NVIDIA.  To register visit http://www.hp.com/go/dualwebinar
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Optimizing Snort, MySQL & BASE installation Affan Basalamah (Jul 04)
- Re: Optimizing Snort, MySQL & BASE installation Gary Richardson (Jul 04)
  - Re: Optimizing Snort, MySQL & BASE installation Michael Stone (Jul 04)
- Re: Optimizing Snort, MySQL & BASE installation Kevin Johnson (Jul 04)
- Re: Optimizing Snort, MySQL & BASE installation Michael Stone (Jul 04)
  - Logs in Messages Xavier Cabrera (Jul 05)
    - RE: Logs in Messages Paul Melson (Jul 11)