Snort mailing list archives
Re: 1.9.0 and "Unknown Datagram decoding problem"
From: Chris Green <cmg () sourcefire com>
Date: Tue, 08 Oct 2002 19:23:08 -0400
Erek Adams <erek () theadamsfamily net> writes:
On Wed, 9 Oct 2002, Jason Haar wrote:On our network, this alert is triggering every time our SNMP network management server talks to any host over our VPN. It appears to be matching on UDP SNMP frags (exp: with VPNs, you tend to see a LOT more fragged traffic than "normal" networks).
Please give me a pcap of the traffic that it is generating alerts on. I made the default "we don't know how to decode this or we screwed up decoding", do a bit more verbosity rather than the ErrorMessages() it used to do. In the meantime, config disable_decode_alerts in your snort.conf will help.
Hrm... It seems that it's not from SNMP but from an ICMP_DEST_UNREACHABLE or ICMP_REDIRECT. If you have it, I'd suggest grabbing a pcap of some of those packets and then building a debug version of snort. Enable debugging in the decoder and then run the pcap thru it to track down what it's really doing.Any timeframe for either fixing this or being able to disable it?With the right info, you should be able to write a BPF filter to drop the packets that are causing it for now. Cheers! ----- Erek Adams Nifty-Type-Guy TheAdamsFamily.Net ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Chris Green <cmg () sourcefire com> Don't use a big word where a diminutive one will suffice. ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- 1.9.0 and "Unknown Datagram decoding problem" Jason Haar (Oct 08)
- Re: 1.9.0 and "Unknown Datagram decoding problem" Erek Adams (Oct 08)
- Re: 1.9.0 and "Unknown Datagram decoding problem" Chris Green (Oct 08)
- Re: 1.9.0 and "Unknown Datagram decoding problem" Erek Adams (Oct 08)