Snort mailing list archives
Re: (snort_decoder): Short UDP packet, length field > payload length
From: Joel Esler <eslerj () gmail com>
Date: Thu, 14 Jul 2005 10:12:51 -0400
I've also seen this happen if you are using a third party utensil to feed the data to Snort. example: tcpdump.. Since tcpdump (by default) only captures the first 53 bytes of a packet, (i think 53) if you feed it to Snort it will throw that error at you. (command line: tcpdump -nn -w - | snort -c /path/to/snort.conf -r - ) If you this is your problem, you have to tell the third party tool (tcpdump in this example) to capture the whole packet. (Increasing the snaplength) to max. (command line: tcpdump -nns 1460 -w - | snort -c /path/to/snort.conf -r - ) That will stop the alert. (again, only if this is the problem.) On 7/7/05, Jason Brvenik <jason.brvenik () sourcefire com> wrote:
It means that the system saw a UDP packet which indicated it's length was greater than the actual payload. This should not happen and is generally a bad thing. Flora.francesco wrote:what kind of alert is that? thanks a lot------------------------------------------------------- This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
------------------------------------------------------- This SF.Net email is sponsored by the 'Do More With Dual!' webinar happening July 14 at 8am PDT/11am EDT. We invite you to explore the latest in dual core and dual graphics technology at this free one hour event hosted by HP, AMD, and NVIDIA. To register visit http://www.hp.com/go/dualwebinar _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- (snort_decoder): Short UDP packet, length field > payload length Flora.francesco (Jul 07)
- Re: (snort_decoder): Short UDP packet, length field > payload length Jason Brvenik (Jul 14)
- Re: (snort_decoder): Short UDP packet, length field > payload length Joel Esler (Jul 14)
- Re: (snort_decoder): Short UDP packet, length field > payload length Jason Brvenik (Jul 14)