[Snort-users] Re: IP short header

Fyodor fygrave at ...121...
Sun Mar 3 03:34:06 EST 2002


Peter Kahle <pkahle at ...492...> spoke:
> > 
> > Message: 7
> > Date: Sat, 2 Mar 2002 15:55:15 -0800
> > From: John Sage <jsage at ...2022...>
> > To: Render-Vue <sales at ...4295...>
> > Cc: snort-users at lists.sourceforge.net
> > Subject: Re: [Snort-users] IP short header
> > 
> > Well, the short answer that doesn't tell you much is that the IP
> > header is expected to be 20 bytes long.
> > 
> > What you're receiving is only 18 long, and it triggers a rule in
> > -- hmm.. I can't grep for 'short header' in *.rules -- what version of
> > snort did you say you were running, and what platform ;-) ?
>  
>  This looks suspiciously like a DEBUG printf in DecodeIPOnly (I'm
>  looking in 1.8.1 source, I think):
>  printf("ICMP Unreachable IP header length: %lu\n", (unsigned long)hlen);
> 
>  So it may not be in a rule at all.

It isn't the rule. normally ICMP packets should carry at least 64 bits
of original datagram (+ icmp header, + ip header), what probably is in
your case is that the datagram is truncated, therefore snort complains.
if you arent' interested in seeing that, patching the snort code is
pretty much the only way. Guess we should have made all those erries
turnable on/off by an option though.




More information about the Snort-users mailing list