[Snort-users] RE: WARNING: Not IPv4 datagram!

Petriz, Pablo ppetriz at ...3815...
Thu Apr 24 12:25:04 EDT 2003


I'm having the same problem when upgrade to 2.0.0 (on RH7),
lots of snort_decoder alerts (inside the DMZ!!!) between a 
Win2KTS, an NT4 and a Linux Caldera 7.3. What would that be????

Here are some of the alerts:

(snort_decoder) TCP packet len is smaller than 20 bytes!
(snort_decoder): Truncated Ipv4 Options
(snort_decoder): Truncated Tcp Options
(snort_decoder): Tcp Options found with bad lengths
(snort_decoder) WARNING: TCP Data Offset is less than 5!
(snort_decoder) WARNING: Not IPv4 datagram!
(snort_decoder) WARNING: hlen < IP_HEADER_LEN!
(snort_decoder): Short UDP packet, length field > payload length
(snort_decoder) WARNING: TCP Header length exceeds packet length! 

Thanks!

PABLO

> From: "Jeremia d." <jdb at ...8995...>
> Reply-To: jdb at ...8995...
> Organization: Penguin-Security Networks
> To: snort-users at lists.sourceforge.net
> Date: Wed, 23 Apr 2003 09:27:30 -0400
> Subject: [Snort-users] WARNING: Not IPv4 datagram!
> 
> I have noticed in my logs recently alot of alerts with
>  [snort] (snort_decoder) WARNING: Not IPv4 datagram!
> 
> I have since blocked the ip doing this with iptable's. Now I 
> get the same 
> alerts but the destination is not my ip. Just the first 2 
> ocets match my ip.
> Any idea why this is behaving like this?
> 
> Thanks ahead.




More information about the Snort-users mailing list