Snort only partially alerting

[Frank Calone <fc10011001 () gmail com>]

I still don't have a fix yet to the problem of Snort only alerting
occasionally.  I have it setup to look for exe downloads using just 2
rules.  I have a web site setup to download (not https) an exe file.  I
decided to run snort in full packet logger mode to see what was coming in
(/usr/sbin/snort -dev -i p1p1 -l /var/log/snort -h x.x.x.x/16).  I
immediately started getting the following warning messages:

(snort_decoder) WARNING: IP dgm len > captured len

I then ran the binary capture thru the snort playback (-dvr option).
Looking at the packets tied to my PC, I can see that almost all of them
have a datagram length of 40.  Very few packets showed up with a real
payload, certainly not enough to amount to the size of the file I
downloaded during the testing.  I'm not sure if there is a config setting
or something else going wrong here such that very few packets have any real
data.  Here is a sample of what I am seeing:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
06/18-16:20:19.229724 15.0.0.18:62287 -> 212.13.197.229:80
TCP TTL:127 TOS:0x0 ID:7467 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x3279955A  Ack: 0xEF27E0F7  Win: 0x4029  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Frank

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!