Snort mailing list archives
Re: how to stop these UDP TCP alerts?
From: Phil Wood <cpw () lanl gov>
Date: Thu, 25 Sep 2003 14:26:30 -0600
There are two things going on here.
1. Snort has built in rules (which can be disabled in the snort.conf file),
which look for incorrect usage of the the IP, ICMP, UDP, and TCP suite
of protocols. If you don't want to see them, disable them using the
pound sign '#'.
2. People using the Internet these days don't know much about the Internet
prococol suite which matured in the early eighties. Some illustrious
individuals such as Comer and Stevens, took the time to write volumes,
about what has become known as TCP/IP, back in the early nineties.
People who have a problem understanding number 2 should take a look at:
Comer: http://www.cs.purdue.edu/homes/dec/netbooks.html
Stevens: http://www.kohala.com/start/
Comer and Stevens collaborated on a number of the books you should probably
acquire and read before asking general questions about TCP/IP.
Later,
On Wed, Sep 24, 2003 at 01:20:26PM -0400, jlarsson () altavoz net wrote:
I have scanned through mailinglists looking for which "false alerts" these TCP checks will stop. I get the following messages in my alert file (snort_decoder): Short UDP packet, length field > payload length (snort_decoder) WARNING: TCP Header length exceeds packet length! (snort_decoder): Truncated Tcp Options where can i find an explanation of what these means "Stop generic decode event", "Stop alerts on experimental TCP options", etc. /Johan PS, Sorry to have sent this two times to you Erek :( Quoting Erek Adams <erek () snort org>:On Mon, 22 Sep 2003, Clayton Mascarenhas wrote:I know this question has been asked before, but I cannot find theanswerto this. I have really searched google and the mailing list but still cant find the answer to this question. Could I please know how to stop snort 2.0.2 from generating the following alerts... [**] (snort_decoder): Short UDP packet, length field > payload length [**] 01/29-01:00:18.399475 132.x.x.x:0 -> 132.x.x.x:0 UDP TTL:128 TOS:0x0 ID:15667 IpLen:20 DgmLen:161Len: 133 [**] (snort_decoder) WARNING: TCP Header length exceeds packetlength![**]01/29-01:00:09.082724 132.x.x.x:0 -> 132.x.x.x:0 TCP TTL:60TOS:0x0ID:57434 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x21676561 Ack:0xCECE0987Win: 0xC036 TcpLen: 32 I am getting a million of these alerts. I dont think there is anysnortrule to this. Am I correct?They are from the 'snort_decoder', not from a rule. To stop them you'll have to either use a BPF filter to ignore the hosts, or turn off the TCP checks in the snort.conf (there's a whole section on it). Cheers! ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list
-- Phil Wood (cpw_at_lanl.gov) ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- how to stop these UDP TCP alerts? Clayton Mascarenhas (Sep 22)
- Re: how to stop these UDP TCP alerts? Erek Adams (Sep 23)
- Re: how to stop these UDP TCP alerts? jlarsson (Sep 24)
- Re: how to stop these UDP TCP alerts? Erek Adams (Sep 24)
- Re: how to stop these UDP TCP alerts? jlarsson (Sep 24)
- Re: how to stop these UDP TCP alerts? Phil Wood (Sep 25)
- Re: how to stop these UDP TCP alerts? jlarsson (Sep 24)
- Re: how to stop these UDP TCP alerts? Erek Adams (Sep 23)