[Snort-users] 1.9.0 and "Unknown Datagram decoding problem"
cmg at ...1935...
Tue Oct 8 16:25:04 EDT 2002
Erek Adams <erek at ...577...> writes:
> On Wed, 9 Oct 2002, Jason Haar wrote:
>> On our network, this alert is triggering every time our SNMP network
>> management server talks to any host over our VPN. It appears to be matching
>> on UDP SNMP frags (exp: with VPNs, you tend to see a LOT more fragged
>> traffic than "normal" networks).
Please give me a pcap of the traffic that it is generating alerts on.
I made the default "we don't know how to decode this or we screwed up
decoding", do a bit more verbosity rather than the ErrorMessages() it
used to do.
In the meantime,
in your snort.conf will help.
> Hrm... It seems that it's not from SNMP but from an ICMP_DEST_UNREACHABLE or
> If you have it, I'd suggest grabbing a pcap of some of those packets and then
> building a debug version of snort. Enable debugging in the decoder and then
> run the pcap thru it to track down what it's really doing.
>> Any timeframe for either fixing this or being able to disable it?
> With the right info, you should be able to write a BPF filter to drop the
> packets that are causing it for now.
> Erek Adams
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
Chris Green <cmg at ...1935...>
Don't use a big word where a diminutive one will suffice.
More information about the Snort-users