[Snort-users] Re: IP short header

Peter Kahle pkahle at ...492...
Sat Mar 2 20:47:15 EST 2002


> 
> Message: 7
> Date: Sat, 2 Mar 2002 15:55:15 -0800
> From: John Sage <jsage at ...2022...>
> To: Render-Vue <sales at ...4295...>
> Cc: snort-users at lists.sourceforge.net
> Subject: Re: [Snort-users] IP short header
> 
> Well, the short answer that doesn't tell you much is that the IP
> header is expected to be 20 bytes long.
> 
> What you're receiving is only 18 long, and it triggers a rule in
> -- hmm.. I can't grep for 'short header' in *.rules -- what version of
> snort did you say you were running, and what platform ;-) ?
 
 This looks suspiciously like a DEBUG printf in DecodeIPOnly (I'm
 looking in 1.8.1 source, I think):
 printf("ICMP Unreachable IP header length: %lu\n", (unsigned long)hlen);

 So it may not be in a rule at all.
 P

-- 

Those who would give up essential Liberty to purchase a little temporary 
safety, deserve neither Liberty nor safety.
					-- Ben Franklin

|| Peter M Kahle Jr              ||     PGP Public Key on Keyservers     ||
|| pkahle at ...492...              ||    http://pops.dyndns.com/~pkahle/   || 
##===============================##======================================##




More information about the Snort-users mailing list