Snort mailing list archives
Investigating mangled packets from pre-processor
From: twig les <twigles () yahoo com>
Date: Mon, 1 Mar 2004 16:59:38 -0800 (PST)
Hey *, I'm looking at a bunch of messages regarding mangled packets like these: snort: [116:55:1] (snort_decoder): Truncated Tcp Options {TCP} x.x.x.35:80 -> x.x.x.113:32190 (snort_decoder) WARNING: TCP Header length exceeds packet length! {TCP} x.x.x.82:0 -> x.x.x.113:0 There are others but you get it. My dilemma is that I'm not sure how to figure out the source of these alarms or if they are false alarms or not. I have a suspect box in mind but I need some proof (stupid scientific method...grumble grumble). I can't think of a way to capture this type of packet with TCPDump and I can't do anything tricky with Snort since this is not a signature. Am I missing something? Our Snort is Version 2.0.5 (Build 98) reporting to syslog only. ===== ----------------------------------------------------------- With a few exceptions, secrecy is deeply incompatible with democracy and with science. --Carl Sagan ----------------------------------------------------------- __________________________________ Do you Yahoo!? Get better spam protection with Yahoo! Mail. http://antispam.yahoo.com/tools ------------------------------------------------------- SF.Net is sponsored by: Speed Start Your Linux Apps Now. Build and deploy apps & Web services for Linux with a free DVD software kit from IBM. Click Now! http://ads.osdn.com/?ad_id=1356&alloc_id=3438&op=click _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Investigating mangled packets from pre-processor twig les (Mar 01)