Re: 1.9.0 and "Unknown Datagram decoding problem"

[Erek Adams <erek () theadamsfamily net>]

On Wed, 9 Oct 2002, Jason Haar wrote:

> On our network, this alert is triggering every time our SNMP network
> management server talks to any host over our VPN. It appears to be matching
> on UDP SNMP frags (exp: with VPNs, you tend to see a LOT more fragged
> traffic than "normal" networks).

Hrm...  It seems that it's not from SNMP but from an ICMP_DEST_UNREACHABLE or
ICMP_REDIRECT.

If you have it, I'd suggest grabbing a pcap of some of those packets and then
building a debug version of snort.  Enable debugging in the decoder and then
run the pcap thru it to track down what it's really doing.

> Any timeframe for either fixing this or being able to disable it?

With the right info, you should be able to write a BPF filter to drop the
packets that are causing it for now.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users