Snort mailing list archives
Re: Dont discard truncated packets
From: Felix Erlacher <felix.erlacher () uibk ac at>
Date: Fri, 27 Jan 2017 17:26:10 +0100
FWIW: I didnt find out how to tell Snort NOT to discard truncated packets and very likely there is no such option. So I found another solution that worked for me: As Snort does not like truncated packets I had to fix the size info in my pcap file so that packets do not appear truncated anymore. I replayed the trace with tcpreplay and the --pktlen option on one VM and captured the traffic with tcpdump on another VM. Off course, the result is not the same pcap trace at all: -packets are still truncated, just the size information is fixed. -it is nearly impossible to have the same timing as before, this might influence the outcome of a Snort Analysis. -other effects that I didnt consider yet. greets Felix On 26/01/17 20:04, Felix Erlacher wrote:
Hi all, I have a pcap trace with one packet containing payload for a rule I want to test. The packet is truncated. The rule does not trigger an alert. I can see in the protocol statistics that one IPv4 packet is discarded. As I only have one packet in the trace I assume it is discarded because it is truncated. Can I tell Snort to not discard truncated packets? Or better, not to discard packets with "basic encoding integrity flaws" as the manual calls it. I tried various preproc options from the manual, always with the result of truncated packets being discarded. While I am aware that having Snort analyze truncated packets might not be the best of ideas, it would be helpful in various test scenarios. BTW: I am using the "-k none" switch, so this problem shouldn't be caused by checksum errors. greets ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
-- Felix Erlacher Institute of Computer Science University of Innsbruck ccs-labs.org/~erlacher Key-ID:4EAC0959
Attachment:
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Dont discard truncated packets Felix Erlacher (Jan 26)
- Re: Dont discard truncated packets Felix Erlacher (Jan 27)