[Snort-users] bug in snort 2.0.1?

Luo, Philip Philip_Luo at ...4729...
Thu Aug 7 11:44:09 EDT 2003


Here is the actual alert.

[**] [116:97:1] (snort_decoder): Short UDP packet, length field > payload
length [**]
08/07-14:22:29.786200 10.1.187.106:0 -> 10.1.27.12:0
UDP TTL:128 TOS:0x0 ID:24027 IpLen:20 DgmLen:1675
Len: 1647

The IP length is 1675, the UDP length is 1655, but the payload length is
none.

I am using ibm token ring connection which also have many 
[**] [116:143:1] (snort_decoder) WARNING: Bad Token Ring MR Header! [**]
08/06-15:15:06.924570

Token Ring! MR Header?

Philip

-----Original Message-----
From: Erek Adams [mailto:erek at ...950...] 
Sent: Thursday, August 07, 2003 1:46 PM
To: Luo, Philip
Cc: 'snort-users at lists.sourceforge.net'
Subject: Re: [Snort-users] bug in snort 2.0.1?

On Thu, 7 Aug 2003, Luo, Philip wrote:

> I am getting tons of these alerts like
>
> (snort_decoder): Short UDP packet, length field > payload length
>
> from desktops to domain controllers. It looks like a bug!

Ummmm....  Have you taken the time to look at the packet in question?  The
field length might actually be reported as bigger than the payload.  Care
to share a packet decode?  Far be it for us to think that Microsoft might
have done something Whacky like that...  :)

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson





More information about the Snort-users mailing list