[Snort-users] UDP packet size limit

Russ Combs rcombs at ...1935...
Fri Dec 23 12:12:06 EST 2011


Lots of possibilities ...

-- Are you sure Snort is seeing the packet(s)?
-- What are Snort's counts?
-- Is the length greater than your MTU?
-- Is it getting fragmented?
-- Is your content (if any), split?
-- Do you have frag3 configured?

On Fri, Dec 23, 2011 at 11:48 AM, Document Retention <
document.retention at ...11827...> wrote:

> Greetings,
>
> During some recent testing it seems that Snort does not detect large
> (>1500 bytes) UDP packets.  Why does this happen?
>
> I am using hping3 to craft the UDP packets, I see them via tcpdump running
> on the snort box but snort refuses to alert.
>
> The rule fires when I have a packet size < 1400 bytes. The rule I am
> trying to fire is a very simple "alert udp any any <> any 6033 ..."
>
> What do you guys use to detect this type of packet?
>
> Thanks,
>
> Doc
>
>
> ------------------------------------------------------------------------------
> Write once. Port to many.
> Get the SDK and tools to simplify cross-platform app development. Create
> new or port existing apps to sell to consumers worldwide. Explore the
> Intel AppUpSM program developer opportunity. appdeveloper.intel.com/join
> http://p.sf.net/sfu/intel-appdev
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20111223/79f55dc8/attachment.html>


More information about the Snort-users mailing list