[Snort-users] 1.9.0 and "Unknown Datagram decoding problem"

Erek Adams erek at ...577...
Tue Oct 8 14:15:01 EDT 2002


On Wed, 9 Oct 2002, Jason Haar wrote:

> On our network, this alert is triggering every time our SNMP network
> management server talks to any host over our VPN. It appears to be matching
> on UDP SNMP frags (exp: with VPNs, you tend to see a LOT more fragged
> traffic than "normal" networks).

Hrm...  It seems that it's not from SNMP but from an ICMP_DEST_UNREACHABLE or
ICMP_REDIRECT.

If you have it, I'd suggest grabbing a pcap of some of those packets and then
building a debug version of snort.  Enable debugging in the decoder and then
run the pcap thru it to track down what it's really doing.

> Any timeframe for either fixing this or being able to disable it?

With the right info, you should be able to write a BPF filter to drop the
packets that are causing it for now.

Cheers!

-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net





More information about the Snort-users mailing list