Snort mailing list archives

Previous By Date Next
Previous By Thread Next

UDP packet size limit

From: Document Retention <document.retention () gmail com>
Date: Fri, 23 Dec 2011 11:48:19 -0500
Greetings,

During some recent testing it seems that Snort does not detect large (>1500
bytes) UDP packets.  Why does this happen?

I am using hping3 to craft the UDP packets, I see them via tcpdump running
on the snort box but snort refuses to alert.

The rule fires when I have a packet size < 1400 bytes. The rule I am trying
to fire is a very simple "alert udp any any <> any 6033 ..."

What do you guys use to detect this type of packet?

Thanks,

Doc

------------------------------------------------------------------------------
Write once. Port to many.
Get the SDK and tools to simplify cross-platform app development. Create 
new or port existing apps to sell to consumers worldwide. Explore the 
Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
http://p.sf.net/sfu/intel-appdev
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: