Snort mailing list archives
Re: IP short header
From: Render-Vue <sales () render-vue com>
Date: Sun, 03 Mar 2002 13:44:50 +1300
Hi Yah, John replied to our question... "Well, the short answer that doesn't tell you much is that the IP header is expected to be 20 bytes long. What you're receiving is only 18 long, and it triggers a rule in -- hmm.. I can't grep for 'short header' in *.rules -- what version of snort did you say you were running, and what platform ;-) ?"Sorry John Sunday morning here and didn't want to spend all day in front of the screen :)
Snorts running on one of our Cobalt RaQ's and it's vers 1.8.3 and the latest rules were loaded on yesterday. I figure it was expecting a certain header length but didn't know what the default size was. But as I said I've been running it for months now and never came across this in logcheck.
The same day that came through there were a lot of SCAN FINS recorded by snorts logs and more than my usual share of ICMP Source Quenches and port scans whether that has anything to do with it or not?
Regards Chae _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- IP short header Render-Vue (Mar 02)
- Re: IP short header John Sage (Mar 02)
- Re: IP short header Chris Green (Mar 02)
- <Possible follow-ups>
- Re: IP short header Render-Vue (Mar 02)
- Re: IP short header Peter Kahle (Mar 02)
- Re: Re: IP short header Fyodor (Mar 03)