Re: why UDP disc acquire?

[Andrey Kiryukhin <andrei_1980 () mail ru>]

Thank you, guys. It's realy malformed packet, because  udp length was
incorrect.  In pcap file:
IP total length = 828 bytes
UDP length = 800 bytes , but it must be 808 bytes.  I correct this in
pcap file, and now Snort  generate alerts on this pcap file.  

Thanks.


25.06.2016 15:50, wkitty42 () windstream net пишет:
> On 06/25/2016 05:01 AM, Andrey Kiryukhin wrote:
> > Why you think that udp packet malformed? Tools like wireshark, tcpdump and
> > tcpreplay handle it correctly.  This packets have only wrong checksum, but i
> >  disable checksum control in Snort by using option "-k none".
> a wrong checksum indicates several possible problems...
>
>    malformed packet
>    corrupted packet
>    modified packet
>    bad checksum formula
>
> yes, some would say that the first three are the same thing but there are subtle 
> differences... the first one is generated incorrectly, the second one has been 
> damaged somewhere along the line and the third one has been modified somehow 
> along the line...

------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!