[Snort-users] UDP packet size limit
document.retention at ...11827...
Fri Dec 23 11:48:19 EST 2011
During some recent testing it seems that Snort does not detect large (>1500
bytes) UDP packets. Why does this happen?
I am using hping3 to craft the UDP packets, I see them via tcpdump running
on the snort box but snort refuses to alert.
The rule fires when I have a packet size < 1400 bytes. The rule I am trying
to fire is a very simple "alert udp any any <> any 6033 ..."
What do you guys use to detect this type of packet?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users