RE: WARNING: Not IPv4 datagram!

["Petriz, Pablo" <ppetriz () siscat com ar>]

I'm having the same problem when upgrade to 2.0.0 (on RH7),
lots of snort_decoder alerts (inside the DMZ!!!) between a 
Win2KTS, an NT4 and a Linux Caldera 7.3. What would that be????

Here are some of the alerts:

(snort_decoder) TCP packet len is smaller than 20 bytes!
(snort_decoder): Truncated Ipv4 Options
(snort_decoder): Truncated Tcp Options
(snort_decoder): Tcp Options found with bad lengths
(snort_decoder) WARNING: TCP Data Offset is less than 5!
(snort_decoder) WARNING: Not IPv4 datagram!
(snort_decoder) WARNING: hlen < IP_HEADER_LEN!
(snort_decoder): Short UDP packet, length field > payload length
(snort_decoder) WARNING: TCP Header length exceeds packet length! 

Thanks!

PABLO

> From: "Jeremia d." <jdb () penguin-security com>
> Reply-To: jdb () penguin-security com
> Organization: Penguin-Security Networks
> To: snort-users () lists sourceforge net
> Date: Wed, 23 Apr 2003 09:27:30 -0400
> Subject: [Snort-users] WARNING: Not IPv4 datagram!
>
> I have noticed in my logs recently alot of alerts with
>  [snort] (snort_decoder) WARNING: Not IPv4 datagram!
>
> I have since blocked the ip doing this with iptable's. Now I 
> get the same 
> alerts but the destination is not my ip. Just the first 2 
> ocets match my ip.
> Any idea why this is behaving like this?
>
> Thanks ahead.


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users