[Snort-users] how to disable "Short UDP packet, length field" alert?

Erek Adams erek at ...950...
Mon Jun 16 07:50:17 EDT 2003


On Mon, 16 Jun 2003, sb ch wrote:

> I would like to disable this function, but I can't find any rule file
> related.

It's not from a rule.  It's from the snort_decoder.  Check the comments
inside of snort.conf that come after these lines:

  # Configure the snort decoder:
  # ============================

> So this alert has nothing related rule files.
> How can I disable this logging?
> Surely, I did like below, but alerts are continued.
>
> var HOME_NET any ![210.xx.xx.xxx]
> var EXTERNAL_NET any ![210.xx.xx.xxx]

I don't think you're setup right with those variables.  I'm guessing that
the network you want to watch is 210.xx.xx.xx.  If so, you might consider
changing that to:

	var HOME_NET 210.xx.xx.xx
	var EXTERNAL_NET !$HOME_NET

I think that would make the rules fire in a more sane manner.

[...snip...]

Cheers!


-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list