Snort mailing list archives
Re: Snort3: no rule for "bad cksum"
From: Russ via Snort-users <snort-users () lists snort org>
Date: Thu, 28 Mar 2019 08:18:09 -0400
Meridoff,Snort doesn't actually alert on bad checksums because it is something that happens to normal traffic and network nodes are expected to drop such packets. Ideally your Snort deployment would be such that Snort expects good checksums and can safely drop those packets too but there are times when Snort might need to disregard checksums due to snap length, LRO, etc. In any case, Snort will report these bad checksum counts:
$ snort --help-counts | grep checksum icmp4.bad_checksum: non-zero icmp checksums (sum) icmp6.bad_icmp6_checksum: nonzero icmp6 checksums (sum) ipv4.bad_checksum: nonzero ip checksums (sum) tcp.bad_tcp4_checksum: nonzero tcp over ip checksums (sum) tcp.bad_tcp6_checksum: nonzero tcp over ipv6 checksums (sum) udp.bad_udp4_checksum: nonzero udp over ipv4 checksums (sum) udp.bad_udp6_checksum: nonzero udp over ipv6 checksums (sum)These pegs will show up in the shutdown output. They can also be configured to be logged with perf_monitor stats.
Hope that helps. Russ On 3/28/19 6:58 AM, Meridoff via Snort-users wrote:
ср, 27 мар. 2019 г. в 12:26, Meridoff <oagvozd () gmail com <mailto:oagvozd () gmail com>>:Hello, I 've set up in network {} table all options concerning cksum evaluating and bad cksum dropping. All is ok - bad cksum packet is not forwarded through snort. But now messeges in log about it. And I've not found any rule for bad cksum in builtin rules. Misprinted: "But no messages in log about it" Why? And how I can recognize that packet with bad cksum was alerted/dropped and so on ? Thanks! _______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
_______________________________________________ Snort-users mailing list Snort-users () lists snort org Go to this URL to change user options or unsubscribe: https://lists.snort.org/mailman/listinfo/snort-users To unsubscribe, send an email to: snort-users-leave () lists snort org Please visit http://blog.snort.org to stay current on all the latest Snort news! Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette
Current thread:
- Snort3: no rule for "bad cksum" Meridoff via Snort-users (Mar 27)
- Re: Snort3: no rule for "bad cksum" Meridoff via Snort-users (Mar 28)
- Re: Snort3: no rule for "bad cksum" Russ via Snort-users (Mar 28)
- Re: Snort3: no rule for "bad cksum" Meridoff via Snort-users (Mar 28)