[Snort-users] how to stop these UDP TCP alerts?

jlarsson at ...10160... jlarsson at ...10160...
Wed Sep 24 10:21:15 EDT 2003


I have scanned through mailinglists looking for which "false alerts" these TCP  
checks will stop.   I get the following messages in my alert file  
  
(snort_decoder): Short UDP packet, length field > payload length  
(snort_decoder) WARNING: TCP Header length exceeds packet length!  
(snort_decoder): Truncated Tcp Options  
  
where can i find an explanation of what these means "Stop generic decode event",  
"Stop alerts on experimental TCP options", etc.  
  
/Johan 
 
PS, Sorry to have sent this two times to you Erek :( 
 
Quoting Erek Adams <erek at ...950...>: 
 
> On Mon, 22 Sep 2003, Clayton Mascarenhas wrote: 
>  
> > I know this question has been asked before, but I cannot find the 
> answer 
> > to this. I have really searched google and the mailing list but still 
> > cant find the answer to this question. 
> > 
> > Could I please know how to stop snort 2.0.2 from generating the 
> > following alerts... 
> > 
> > [**] (snort_decoder): Short UDP packet, length field > payload length 
> > [**] 01/29-01:00:18.399475 132.x.x.x:0 -> 132.x.x.x:0 UDP TTL:128 
> > TOS:0x0 ID:15667 IpLen:20 DgmLen:161Len: 133 
> > 
> > [**] (snort_decoder) WARNING: TCP Header length exceeds packet 
> length! 
> > [**]01/29-01:00:09.082724 132.x.x.x:0 -> 132.x.x.x:0 TCP TTL:60 
> TOS:0x0 
> > ID:57434 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x21676561 Ack: 
> 0xCECE0987 
> > Win: 0xC036 TcpLen: 32 
> > 
> > I am getting a million of these alerts. I dont think there is any 
> snort 
> > rule to this. Am I correct? 
>  
> They are from the 'snort_decoder', not from a rule. 
>  
> To stop them you'll have to either use a BPF filter to ignore the 
> hosts, 
> or turn off the TCP checks in the snort.conf (there's a whole section 
> on 
> it). 
>  
> Cheers! 
>  
> ----- 
> Erek Adams 
>  
>    "When things get weird, the weird turn pro."   H.S. Thompson 
>  
>  
> ------------------------------------------------------- 
> This sf.net email is sponsored by:ThinkGeek 
> Welcome to geek heaven. 
> http://thinkgeek.com/sf 
> _______________________________________________ 
> Snort-users mailing list 
> Snort-users at lists.sourceforge.net 
> Go to this URL to change user options or unsubscribe: 
> https://lists.sourceforge.net/lists/listinfo/snort-users 
> Snort-users list archive: 
> http://www.geocrawler.com/redir-sf.php3?list=snort-users 
>  




More information about the Snort-users mailing list