[Snort-users] large UDP packets - very strange content

Martin Roesch roesch at ...421...
Wed Oct 11 21:01:10 EDT 2000


I like to keep the raw logs so they can be reprocessed through as many
different rules sets and processing options with Snort as possible. :)

    -Marty

Tom Vandepoel wrote:
> 
> Martin Roesch wrote:
> >
> > Damn, that's a weird one.  That's exactly what it looks like, but I can't see
> > how it would actually happen in the code.  Do you have the packet logs with
> > the packets in question saved anywhere?
> >
> 
> Nope, but Fyodor has given me some advice already. He asked me to add
> caplen and p->iph->ip_len to the output, so we'd have some proper
> debugging info next time.
> 
> He's thinking it's either a libpcap bug or someone sending ip packets
> that contains more payload than the udp length field tells us. Most
> likely some faulty load balancer...
> 
> Anyway, I'll be on the lookout for more of these so I'll keep you
> posted.
> 
> BTW. Do you generally recommend to keep raw logs aside from the normal
> alert packet dumps?
> 
> Tom.
> 
> --
> _________________________________________________
> 
> Tom Vandepoel
> Sr. Network Security Engineer
> 
> www.ubizen.com
> tel +32 (0)16 28 70 00 - fax +32 (0)16 28 71 00
> Ubizen - Grensstraat 1b - B-3010 Leuven - Belgium
> _________________________________________________

-- 
Martin Roesch
roesch at ...421...
http://www.snort.org



More information about the Snort-users mailing list