Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Snort only partially alerting

From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 19 Jul 2013 16:43:04 -0400
On 7/19/2013 15:43, Frank Calone wrote:

A thank you to all who helped to resolve this issue with partial alerting on
events.  It turns out that we had packet truncation (due to a large framing
size)  which was causing us to miss alerts.  This was noticed when I ran snort
in the foreground.  The following message showed up:
(snort_decoder) WARNING: IP dgm len > captured len


i'm assuming that this is the followup on what we were discussing a few weeks 
ago? if yes, there might be some info in there to assist us in a few things 
we've been seeing with 2.9.5 but they are not large packets related AFAWCT... 
mainly things being missed like some portion of the 3way handshake causing an 
alert and reset outside of window stuffs...

perhaps the -k none checksum option is the fix? i dunno yet as our snorts are 
started by security binaries instead of normal scripts... that makes it very 
hard to change the startup options on a whim... at best it requires a recompile 
of the startup binary and that requires a dev machine since there are no source 
libraries or compiler bits on a working and deployed system ;) O:)

-- 
NOTE: No off-list assistance is given without prior approval.
       Please keep mailing list traffic on the list unless
       private contact is specifically requested and granted.

------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: