[Snort-users] UDP packet size limit

Document Retention document.retention at ...11827...
Fri Dec 23 11:48:19 EST 2011


During some recent testing it seems that Snort does not detect large (>1500
bytes) UDP packets.  Why does this happen?

I am using hping3 to craft the UDP packets, I see them via tcpdump running
on the snort box but snort refuses to alert.

The rule fires when I have a packet size < 1400 bytes. The rule I am trying
to fire is a very simple "alert udp any any <> any 6033 ..."

What do you guys use to detect this type of packet?


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20111223/413707a8/attachment.html>

More information about the Snort-users mailing list