[Snort-users] 1.9.0 and "Unknown Datagram decoding problem"
erek at ...577...
Tue Oct 8 14:15:01 EDT 2002
On Wed, 9 Oct 2002, Jason Haar wrote:
> On our network, this alert is triggering every time our SNMP network
> management server talks to any host over our VPN. It appears to be matching
> on UDP SNMP frags (exp: with VPNs, you tend to see a LOT more fragged
> traffic than "normal" networks).
Hrm... It seems that it's not from SNMP but from an ICMP_DEST_UNREACHABLE or
If you have it, I'd suggest grabbing a pcap of some of those packets and then
building a debug version of snort. Enable debugging in the decoder and then
run the pcap thru it to track down what it's really doing.
> Any timeframe for either fixing this or being able to disable it?
With the right info, you should be able to write a BPF filter to drop the
packets that are causing it for now.
More information about the Snort-users