Snort mailing list archives
Re: 1.9.0 and "Unknown Datagram decoding problem"
From: Erek Adams <erek () theadamsfamily net>
Date: Tue, 8 Oct 2002 14:14:08 -0700 (PDT)
On Wed, 9 Oct 2002, Jason Haar wrote:
On our network, this alert is triggering every time our SNMP network management server talks to any host over our VPN. It appears to be matching on UDP SNMP frags (exp: with VPNs, you tend to see a LOT more fragged traffic than "normal" networks).
Hrm... It seems that it's not from SNMP but from an ICMP_DEST_UNREACHABLE or ICMP_REDIRECT. If you have it, I'd suggest grabbing a pcap of some of those packets and then building a debug version of snort. Enable debugging in the decoder and then run the pcap thru it to track down what it's really doing.
Any timeframe for either fixing this or being able to disable it?
With the right info, you should be able to write a BPF filter to drop the packets that are causing it for now. Cheers! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- 1.9.0 and "Unknown Datagram decoding problem" Jason Haar (Oct 08)
- Re: 1.9.0 and "Unknown Datagram decoding problem" Erek Adams (Oct 08)
- Re: 1.9.0 and "Unknown Datagram decoding problem" Chris Green (Oct 08)
- Re: 1.9.0 and "Unknown Datagram decoding problem" Erek Adams (Oct 08)