[Snort-users] 1.9.0 and "Unknown Datagram decoding problem"

Erek Adams erek at ...577...
Tue Oct 8 14:15:01 EDT 2002

On Wed, 9 Oct 2002, Jason Haar wrote:

> On our network, this alert is triggering every time our SNMP network
> management server talks to any host over our VPN. It appears to be matching
> on UDP SNMP frags (exp: with VPNs, you tend to see a LOT more fragged
> traffic than "normal" networks).

Hrm...  It seems that it's not from SNMP but from an ICMP_DEST_UNREACHABLE or

If you have it, I'd suggest grabbing a pcap of some of those packets and then
building a debug version of snort.  Enable debugging in the decoder and then
run the pcap thru it to track down what it's really doing.

> Any timeframe for either fixing this or being able to disable it?

With the right info, you should be able to write a BPF filter to drop the
packets that are causing it for now.


Erek Adams

More information about the Snort-users mailing list