[Snort-users] UDP alerts with sneeze

Russ Combs rcombs at ...1935...
Fri Mar 12 06:31:41 EST 2010


Sriharsha,

Snort is getting an IP:UDP packet with datagram length of 92 and a UDP
length greater than 72.  The packet should look like this, excluding any
layer 2 stuff:

[20 byte IP header] + [8 byte UDP header] + [64 byte UDP payload]

The UDP length field includes the both header and payload lengths so it
should be 64+8=72 but in fact it is something greater than that (maybe those
8 bytes are being counted twice?).

Here is some partial tshark output of an example packet with UDP length of
73 which generates the alert you are getting:

Internet Protocol, Src: 76.0.0.10 (76.0.0.10), Dst: 4.4.4.10 (4.4.4.10)
    Version: 4
    Header length: 20 bytes
    Total Length: 92
    Protocol: UDP (0x11)
User Datagram Protocol, Src Port: 48620 (48620), Dst Port: 8 (8)
    Length: 73 (bogus, payload length 72)
Data (64 bytes)
    Data: 313233343536373839303132333435363738393031323334...

0000  02 09 08 07 06 05 02 01 02 03 04 05 08 00 45 10   ..............E.
0010  00 5c 00 01 00 00 3f 11 27 69 4c 00 00 0a 04 04   .\....?.'iL.....
0020  04 0a bd ec 00 08 00 49 4c cc 31 32 33 34 35 36   .......IL.123456
0030  37 38 39 30 31 32 33 34 35 36 37 38 39 30 31 32   7890123456789012
0040  33 34 35 36 37 38 39 30 31 32 33 34 35 36 37 38   3456789012345678
0050  39 30 31 32 33 34 35 36 37 38 39 30 31 32 33 34   9012345678901234
0060  35 36 37 38 39 30 31 32 33 34                     5678901234

Hope that helps.
Russ

On Fri, Mar 12, 2010 at 1:35 AM, sri harsha <harsha536 at ...11827...> wrote:

> Hi,
>    I am using snort 2.8.5.2 version on linux machine. Using sneeze for
> attacks, I could see alerts generated for icmp rules as attacks. But, for
> UDP packets, I see the following alert messages.
>
> [116:97:1] (snort_decoder): Short UDP packet, length field > payload length
> [**]
> [Priority: 3]
> 03/12-06:17:32.840382 76.0.0.10:0 -> 4.4.4.10:0
> UDP TTL:63 TOS:0x10 ID:0 IpLen:20 DgmLen:92 DF
> UDP header truncated
>
> What can be the reason for this? Thanks for any suggestion in advance.
>
> Thanks,
> Sriharsha
>
>
>
>
>
> ------------------------------------------------------------------------------
> Download Intel® Parallel Studio Eval
> Try the new software tools for yourself. Speed compiling, find bugs
> proactively, and fine-tune applications for parallel performance.
> See why Intel Parallel Studio got high marks during beta.
> http://p.sf.net/sfu/intel-sw-dev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users<https://lists.sourceforge.net/lists/listinfo/snort-users%0ASnort-users>list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20100312/88d299e5/attachment.html>


More information about the Snort-users mailing list