[Snort-users] how to disable "Short UDP packet, length field" alert?

Erek Adams erek at ...950...
Mon Jun 16 07:50:17 EDT 2003

On Mon, 16 Jun 2003, sb ch wrote:

> I would like to disable this function, but I can't find any rule file
> related.

It's not from a rule.  It's from the snort_decoder.  Check the comments
inside of snort.conf that come after these lines:

  # Configure the snort decoder:
  # ============================

> So this alert has nothing related rule files.
> How can I disable this logging?
> Surely, I did like below, but alerts are continued.
> var HOME_NET any ![210.xx.xx.xxx]
> var EXTERNAL_NET any ![210.xx.xx.xxx]

I don't think you're setup right with those variables.  I'm guessing that
the network you want to watch is 210.xx.xx.xx.  If so, you might consider
changing that to:

	var HOME_NET 210.xx.xx.xx

I think that would make the rules fire in a more sane manner.



Erek Adams

