Snort mailing list archives
Re: UDP packet size limit
From: Russ Combs <rcombs () sourcefire com>
Date: Fri, 23 Dec 2011 12:12:06 -0500
Lots of possibilities ... -- Are you sure Snort is seeing the packet(s)? -- What are Snort's counts? -- Is the length greater than your MTU? -- Is it getting fragmented? -- Is your content (if any), split? -- Do you have frag3 configured? On Fri, Dec 23, 2011 at 11:48 AM, Document Retention < document.retention () gmail com> wrote:
Greetings, During some recent testing it seems that Snort does not detect large (>1500 bytes) UDP packets. Why does this happen? I am using hping3 to craft the UDP packets, I see them via tcpdump running on the snort box but snort refuses to alert. The rule fires when I have a packet size < 1400 bytes. The rule I am trying to fire is a very simple "alert udp any any <> any 6033 ..." What do you guys use to detect this type of packet? Thanks, Doc ------------------------------------------------------------------------------ Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Write once. Port to many. Get the SDK and tools to simplify cross-platform app development. Create new or port existing apps to sell to consumers worldwide. Explore the Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join http://p.sf.net/sfu/intel-appdev
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- UDP packet size limit Document Retention (Dec 23)
- Re: UDP packet size limit Russ Combs (Dec 23)