[Snort-users] Barnyard and ACID question

Andrew R. Baker andrewb at ...950...
Tue Nov 6 22:22:03 EST 2001


Steve Halligan wrote:
> 
> One more piece of wierdness:  Barnyard popped up a few "Unknown Network
> Header (0x0)" and inserted an alert with only a sig, no ip info, tcp info,
> etc.

Well at least I know what is happening here.  These messages come from
the decoder when it does not know how to handle the ethertype for the
packet (which in this case is 0x0).  Since it can't decode the packet,
it will just store the alert info into the database.  I would be
interested in seeing the data file that you are getting these from.

-A




More information about the Snort-users mailing list