Snort mailing list archives
RE: WARNING: Not IPv4 datagram!
From: "Petriz, Pablo" <ppetriz () siscat com ar>
Date: Thu, 24 Apr 2003 16:22:34 -0300
I'm having the same problem when upgrade to 2.0.0 (on RH7), lots of snort_decoder alerts (inside the DMZ!!!) between a Win2KTS, an NT4 and a Linux Caldera 7.3. What would that be???? Here are some of the alerts: (snort_decoder) TCP packet len is smaller than 20 bytes! (snort_decoder): Truncated Ipv4 Options (snort_decoder): Truncated Tcp Options (snort_decoder): Tcp Options found with bad lengths (snort_decoder) WARNING: TCP Data Offset is less than 5! (snort_decoder) WARNING: Not IPv4 datagram! (snort_decoder) WARNING: hlen < IP_HEADER_LEN! (snort_decoder): Short UDP packet, length field > payload length (snort_decoder) WARNING: TCP Header length exceeds packet length! Thanks! PABLO
From: "Jeremia d." <jdb () penguin-security com> Reply-To: jdb () penguin-security com Organization: Penguin-Security Networks To: snort-users () lists sourceforge net Date: Wed, 23 Apr 2003 09:27:30 -0400 Subject: [Snort-users] WARNING: Not IPv4 datagram! I have noticed in my logs recently alot of alerts with [snort] (snort_decoder) WARNING: Not IPv4 datagram! I have since blocked the ip doing this with iptable's. Now I get the same alerts but the destination is not my ip. Just the first 2 ocets match my ip. Any idea why this is behaving like this? Thanks ahead.
------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- WARNING: Not IPv4 datagram! Jeremia d. (Apr 23)
- <Possible follow-ups>
- RE: WARNING: Not IPv4 datagram! Petriz, Pablo (Apr 24)