Re: Dont discard truncated packets

[Felix Erlacher <felix.erlacher () uibk ac at>]

FWIW:
I didnt find out how to tell Snort NOT to discard truncated packets and
very likely there is no such option. So I found another solution that
worked for me:
As Snort does not like truncated packets I had to fix the size info in
my pcap file so that packets do not appear truncated anymore.
I replayed the trace with tcpreplay and the --pktlen option on one VM
and captured the traffic with tcpdump on another VM.
Off course, the result is not the same pcap trace at all:
-packets are still truncated, just the size information is fixed.
-it is nearly impossible to have the same timing as before, this might
influence the outcome of a Snort Analysis.
-other effects that I didnt consider yet.

greets

Felix


On 26/01/17 20:04, Felix Erlacher wrote:
> Hi all,
>
> I have a pcap trace with one packet containing payload for a rule I want
> to test. The packet is truncated. The rule does not trigger an alert.
> I can see in the protocol statistics that one IPv4 packet is discarded.
> As I only have one packet in the trace I assume it is discarded because
> it is truncated.
>
> Can I tell Snort to not discard truncated packets?
>
> Or better, not to discard packets with "basic encoding integrity flaws"
> as the manual calls it.
> I tried various preproc options from the manual, always with the result
> of truncated packets being discarded.
> While I am aware that having Snort analyze truncated packets might not
> be the best of ideas, it would be helpful in various test scenarios.
>
> BTW: I am using the "-k none" switch, so this problem shouldn't be
> caused by checksum errors.
>
> greets
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest Snort news!

-- 
Felix Erlacher

Institute of Computer Science
University of Innsbruck
ccs-labs.org/~erlacher

Key-ID:4EAC0959

Attachment: signature.asc
Description: OpenPGP digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!