[Snort-users] how to stop these UDP TCP alerts?
jlarsson at ...10160...
jlarsson at ...10160...
Wed Sep 24 10:21:15 EDT 2003
I have scanned through mailinglists looking for which "false alerts" these TCP
checks will stop. I get the following messages in my alert file
(snort_decoder): Short UDP packet, length field > payload length
(snort_decoder) WARNING: TCP Header length exceeds packet length!
(snort_decoder): Truncated Tcp Options
where can i find an explanation of what these means "Stop generic decode event",
"Stop alerts on experimental TCP options", etc.
/Johan
PS, Sorry to have sent this two times to you Erek :(
Quoting Erek Adams <erek at ...950...>:
> On Mon, 22 Sep 2003, Clayton Mascarenhas wrote:
>
> > I know this question has been asked before, but I cannot find the
> answer
> > to this. I have really searched google and the mailing list but still
> > cant find the answer to this question.
> >
> > Could I please know how to stop snort 2.0.2 from generating the
> > following alerts...
> >
> > [**] (snort_decoder): Short UDP packet, length field > payload length
> > [**] 01/29-01:00:18.399475 132.x.x.x:0 -> 132.x.x.x:0 UDP TTL:128
> > TOS:0x0 ID:15667 IpLen:20 DgmLen:161Len: 133
> >
> > [**] (snort_decoder) WARNING: TCP Header length exceeds packet
> length!
> > [**]01/29-01:00:09.082724 132.x.x.x:0 -> 132.x.x.x:0 TCP TTL:60
> TOS:0x0
> > ID:57434 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x21676561 Ack:
> 0xCECE0987
> > Win: 0xC036 TcpLen: 32
> >
> > I am getting a million of these alerts. I dont think there is any
> snort
> > rule to this. Am I correct?
>
> They are from the 'snort_decoder', not from a rule.
>
> To stop them you'll have to either use a BPF filter to ignore the
> hosts,
> or turn off the TCP checks in the snort.conf (there's a whole section
> on
> it).
>
> Cheers!
>
> -----
> Erek Adams
>
> "When things get weird, the weird turn pro." H.S. Thompson
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
More information about the Snort-users
mailing list