[Snort-users] bug in snort 2.0.1?
Philip_Luo at ...4729...
Thu Aug 7 11:44:09 EDT 2003
Here is the actual alert.
[**] [116:97:1] (snort_decoder): Short UDP packet, length field > payload
08/07-14:22:29.786200 10.1.187.106:0 -> 10.1.27.12:0
UDP TTL:128 TOS:0x0 ID:24027 IpLen:20 DgmLen:1675
The IP length is 1675, the UDP length is 1655, but the payload length is
I am using ibm token ring connection which also have many
[**] [116:143:1] (snort_decoder) WARNING: Bad Token Ring MR Header! [**]
Token Ring! MR Header?
From: Erek Adams [mailto:erek at ...950...]
Sent: Thursday, August 07, 2003 1:46 PM
To: Luo, Philip
Cc: 'snort-users at lists.sourceforge.net'
Subject: Re: [Snort-users] bug in snort 2.0.1?
On Thu, 7 Aug 2003, Luo, Philip wrote:
> I am getting tons of these alerts like
> (snort_decoder): Short UDP packet, length field > payload length
> from desktops to domain controllers. It looks like a bug!
Ummmm.... Have you taken the time to look at the packet in question? The
field length might actually be reported as bigger than the payload. Care
to share a packet decode? Far be it for us to think that Microsoft might
have done something Whacky like that... :)
"When things get weird, the weird turn pro." H.S. Thompson
More information about the Snort-users