[Snort-users] how to stop these UDP TCP alerts?

Phil Wood cpw at ...440...
Thu Sep 25 13:28:18 EDT 2003


There are two things going on here.

  1. Snort has built in rules (which can be disabled in the snort.conf file),
     which look for incorrect usage of the the IP, ICMP, UDP, and TCP suite
     of protocols.  If you don't want to see them, disable them using the
     pound sign '#'.

  2. People using the Internet these days don't know much about the Internet
     prococol suite which matured in the early eighties.  Some illustrious
     individuals such as Comer and Stevens, took the time to write volumes,
     about what has become known as TCP/IP, back in the early nineties.

People who have a problem understanding number 2 should take a look at:

  Comer: http://www.cs.purdue.edu/homes/dec/netbooks.html
  Stevens: http://www.kohala.com/start/
     
  Comer and Stevens collaborated on a number of the books you should probably
  acquire and read before asking general questions about TCP/IP.

Later,

On Wed, Sep 24, 2003 at 01:20:26PM -0400, jlarsson at ...10160... wrote:
> I have scanned through mailinglists looking for which "false alerts" these TCP  
> checks will stop.   I get the following messages in my alert file  
>   
> (snort_decoder): Short UDP packet, length field > payload length  
> (snort_decoder) WARNING: TCP Header length exceeds packet length!  
> (snort_decoder): Truncated Tcp Options  
>   
> where can i find an explanation of what these means "Stop generic decode event",  
> "Stop alerts on experimental TCP options", etc.  
>   
> /Johan 
>  
> PS, Sorry to have sent this two times to you Erek :( 
>  
> Quoting Erek Adams <erek at ...950...>: 
>  
> > On Mon, 22 Sep 2003, Clayton Mascarenhas wrote: 
> >  
> > > I know this question has been asked before, but I cannot find the 
> > answer 
> > > to this. I have really searched google and the mailing list but still 
> > > cant find the answer to this question. 
> > > 
> > > Could I please know how to stop snort 2.0.2 from generating the 
> > > following alerts... 
> > > 
> > > [**] (snort_decoder): Short UDP packet, length field > payload length 
> > > [**] 01/29-01:00:18.399475 132.x.x.x:0 -> 132.x.x.x:0 UDP TTL:128 
> > > TOS:0x0 ID:15667 IpLen:20 DgmLen:161Len: 133 
> > > 
> > > [**] (snort_decoder) WARNING: TCP Header length exceeds packet 
> > length! 
> > > [**]01/29-01:00:09.082724 132.x.x.x:0 -> 132.x.x.x:0 TCP TTL:60 
> > TOS:0x0 
> > > ID:57434 IpLen:20 DgmLen:52 DF ***A**** Seq: 0x21676561 Ack: 
> > 0xCECE0987 
> > > Win: 0xC036 TcpLen: 32 
> > > 
> > > I am getting a million of these alerts. I dont think there is any 
> > snort 
> > > rule to this. Am I correct? 
> >  
> > They are from the 'snort_decoder', not from a rule. 
> >  
> > To stop them you'll have to either use a BPF filter to ignore the 
> > hosts, 
> > or turn off the TCP checks in the snort.conf (there's a whole section 
> > on 
> > it). 
> >  
> > Cheers! 
> >  
> > ----- 
> > Erek Adams 
> >  
> >    "When things get weird, the weird turn pro."   H.S. Thompson 
> >  
> >  
> > ------------------------------------------------------- 
> > This sf.net email is sponsored by:ThinkGeek 
> > Welcome to geek heaven. 
> > http://thinkgeek.com/sf 
> > _______________________________________________ 
> > Snort-users mailing list 
> > Snort-users at lists.sourceforge.net 
> > Go to this URL to change user options or unsubscribe: 
> > https://lists.sourceforge.net/lists/listinfo/snort-users 
> > Snort-users list archive: 
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users 
> >  
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list

-- 
Phil Wood (cpw_at_lanl.gov)




More information about the Snort-users mailing list