[Snort-users] large UDP packets - very strange content

Tom Vandepoel Tom.Vandepoel at ...271...
Mon Oct 9 03:29:29 EDT 2000


Martin Roesch wrote:
> 
> Damn, that's a weird one.  That's exactly what it looks like, but I can't see
> how it would actually happen in the code.  Do you have the packet logs with
> the packets in question saved anywhere?
> 

Nope, but Fyodor has given me some advice already. He asked me to add
caplen and p->iph->ip_len to the output, so we'd have some proper
debugging info next time.

He's thinking it's either a libpcap bug or someone sending ip packets
that contains more payload than the udp length field tells us. Most
likely some faulty load balancer...

Anyway, I'll be on the lookout for more of these so I'll keep you
posted.

BTW. Do you generally recommend to keep raw logs aside from the normal
alert packet dumps?

Tom.



-- 
_________________________________________________

Tom Vandepoel
Sr. Network Security Engineer

www.ubizen.com
tel +32 (0)16 28 70 00 - fax +32 (0)16 28 71 00 
Ubizen - Grensstraat 1b - B-3010 Leuven - Belgium
_________________________________________________
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2884 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20001009/092febc9/attachment.bin>


More information about the Snort-users mailing list