[Snort-users] 1.9.0 and "Unknown Datagram decoding problem"

Chris Green cmg at ...1935...
Tue Oct 8 16:25:04 EDT 2002


Erek Adams <erek at ...577...> writes:

> On Wed, 9 Oct 2002, Jason Haar wrote:
>
>> On our network, this alert is triggering every time our SNMP network
>> management server talks to any host over our VPN. It appears to be matching
>> on UDP SNMP frags (exp: with VPNs, you tend to see a LOT more fragged
>> traffic than "normal" networks).
>

Please give me a pcap of the traffic that it is generating alerts on.
I made the default "we don't know how to decode this or we screwed up
decoding", do a bit more verbosity rather than the ErrorMessages() it
used to do.

In the meantime,

config disable_decode_alerts

in your snort.conf will help.

> Hrm...  It seems that it's not from SNMP but from an ICMP_DEST_UNREACHABLE or
> ICMP_REDIRECT.
>
> If you have it, I'd suggest grabbing a pcap of some of those packets and then
> building a debug version of snort.  Enable debugging in the decoder and then
> run the pcap thru it to track down what it's really doing.
>
>> Any timeframe for either fixing this or being able to disable it?
>
> With the right info, you should be able to write a BPF filter to drop the
> packets that are causing it for now.
>
> Cheers!
>
> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Chris Green <cmg at ...1935...>
Don't use a big word where a diminutive one will suffice.




More information about the Snort-users mailing list