[Snort-users] large UDP packets - very strange content
Tom.Vandepoel at ...271...
Mon Oct 9 03:29:29 EDT 2000
Martin Roesch wrote:
> Damn, that's a weird one. That's exactly what it looks like, but I can't see
> how it would actually happen in the code. Do you have the packet logs with
> the packets in question saved anywhere?
Nope, but Fyodor has given me some advice already. He asked me to add
caplen and p->iph->ip_len to the output, so we'd have some proper
debugging info next time.
He's thinking it's either a libpcap bug or someone sending ip packets
that contains more payload than the udp length field tells us. Most
likely some faulty load balancer...
Anyway, I'll be on the lookout for more of these so I'll keep you
BTW. Do you generally recommend to keep raw logs aside from the normal
alert packet dumps?
Sr. Network Security Engineer
tel +32 (0)16 28 70 00 - fax +32 (0)16 28 71 00
Ubizen - Grensstraat 1b - B-3010 Leuven - Belgium
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2884 bytes
Desc: S/MIME Cryptographic Signature
More information about the Snort-users