Snort mailing list archives

Re: Snort3: no rule for "bad cksum"

From: Russ via Snort-users <snort-users () lists snort org>
Date: Thu, 28 Mar 2019 08:18:09 -0400

Meridoff,

Snort doesn't actually alert on bad checksums because it is somethingthat happens to normal traffic and network nodes are expected to dropsuch packets. Ideally your Snort deployment would be such that Snortexpects good checksums and can safely drop those packets too but thereare times when Snort might need to disregard checksums due to snaplength, LRO, etc. In any case, Snort will report these bad checksum counts:


$ snort --help-counts | grep checksum
icmp4.bad_checksum: non-zero icmp checksums (sum)
icmp6.bad_icmp6_checksum: nonzero icmp6 checksums (sum)
ipv4.bad_checksum: nonzero ip checksums (sum)
tcp.bad_tcp4_checksum: nonzero tcp over ip checksums (sum)
tcp.bad_tcp6_checksum: nonzero tcp over ipv6 checksums (sum)
udp.bad_udp4_checksum: nonzero udp over ipv4 checksums (sum)
udp.bad_udp6_checksum: nonzero udp over ipv6 checksums (sum)

These pegs will show up in the shutdown output. They can also beconfigured to be logged with perf_monitor stats.


Hope that helps.
Russ

On 3/28/19 6:58 AM, Meridoff via Snort-users wrote:

ср, 27 мар. 2019 г. в 12:26, Meridoff <oagvozd () gmail com<mailto:oagvozd () gmail com>>:


    Hello, I 've set up in network {}  table all options concerning
    cksum evaluating and bad cksum dropping. All is ok - bad cksum
    packet is not forwarded through snort.

    But now messeges in log about it. And I've not found any rule for
    bad cksum in builtin rules.


Misprinted: "But no messages in log about it"


    Why? And how I can recognize that packet with bad cksum was
    alerted/dropped and so on ?

    Thanks!


_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

_______________________________________________
Snort-users mailing list
Snort-users () lists snort org
Go to this URL to change user options or unsubscribe:
https://lists.snort.org/mailman/listinfo/snort-users

        To unsubscribe, send an email to:
        snort-users-leave () lists snort org

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

Current thread:

Snort3: no rule for "bad cksum" Meridoff via Snort-users (Mar 27)
- Re: Snort3: no rule for "bad cksum" Meridoff via Snort-users (Mar 28)
  - Re: Snort3: no rule for "bad cksum" Russ via Snort-users (Mar 28)