[Snort-users] how to stop these UDP TCP alerts?

Erek Adams erek at ...950...
Tue Sep 23 03:43:05 EDT 2003


On Mon, 22 Sep 2003, Clayton Mascarenhas wrote:

> I know this question has been asked before, but I cannot find the answer
> to this. I have really searched google and the mailing list but still
> cant find the answer to this question.
>
> Could I please know how to stop snort 2.0.2 from generating the
> following alerts...
>
> [**] (snort_decoder): Short UDP packet, length field > payload length
> [**] 01/29-01:00:18.399475 132.x.x.x:0 -> 132.x.x.x:0 UDP TTL:128
> TOS:0x0 ID:15667 IpLen:20 DgmLen:161Len: 133
>
> [**] (snort_decoder) WARNING: TCP Header length exceeds packet length!
> [**]01/29-01:00:09.082724 132.x.x.x:0 -> 132.x.x.x:0 TCP TTL:60 TOS:0x0
> ID:57434 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x21676561 Ack: 0xCECE0987
> Win: 0xC036 TcpLen: 32
>
> I am getting a million of these alerts. I dont think there is any snort
> rule to this. Am I correct?

They are from the 'snort_decoder', not from a rule.

To stop them you'll have to either use a BPF filter to ignore the hosts,
or turn off the TCP checks in the snort.conf (there's a whole section on
it).

Cheers!

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson




More information about the Snort-users mailing list