[Snort-users] Snort only partially alerting
fc10011001 at ...11827...
Tue Jun 18 17:14:59 EDT 2013
I still don't have a fix yet to the problem of Snort only alerting
occasionally. I have it setup to look for exe downloads using just 2
rules. I have a web site setup to download (not https) an exe file. I
decided to run snort in full packet logger mode to see what was coming in
(/usr/sbin/snort -dev -i p1p1 -l /var/log/snort -h x.x.x.x/16). I
immediately started getting the following warning messages:
(snort_decoder) WARNING: IP dgm len > captured len
I then ran the binary capture thru the snort playback (-dvr option).
Looking at the packets tied to my PC, I can see that almost all of them
have a datagram length of 40. Very few packets showed up with a real
payload, certainly not enough to amount to the size of the file I
downloaded during the testing. I'm not sure if there is a config setting
or something else going wrong here such that very few packets have any real
data. Here is a sample of what I am seeing:
06/18-16:20:19.229724 220.127.116.11:62287 -> 18.104.22.168:80
TCP TTL:127 TOS:0x0 ID:7467 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x3279955A Ack: 0xEF27E0F7 Win: 0x4029 TcpLen: 20
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users