[Snort-users] Snort only partially alerting

Frank Calone fc10011001 at ...11827...
Tue Jun 18 17:14:59 EDT 2013


I still don't have a fix yet to the problem of Snort only alerting
occasionally.  I have it setup to look for exe downloads using just 2
rules.  I have a web site setup to download (not https) an exe file.  I
decided to run snort in full packet logger mode to see what was coming in
(/usr/sbin/snort -dev -i p1p1 -l /var/log/snort -h x.x.x.x/16).  I
immediately started getting the following warning messages:

(snort_decoder) WARNING: IP dgm len > captured len

I then ran the binary capture thru the snort playback (-dvr option).
Looking at the packets tied to my PC, I can see that almost all of them
have a datagram length of 40.  Very few packets showed up with a real
payload, certainly not enough to amount to the size of the file I
downloaded during the testing.  I'm not sure if there is a config setting
or something else going wrong here such that very few packets have any real
data.  Here is a sample of what I am seeing:

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
06/18-16:20:19.229724 15.0.0.18:62287 -> 212.13.197.229:80
TCP TTL:127 TOS:0x0 ID:7467 IpLen:20 DgmLen:40 DF
***A**** Seq: 0x3279955A  Ack: 0xEF27E0F7  Win: 0x4029  TcpLen: 20
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Frank
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20130618/8f0e02a5/attachment.html>


More information about the Snort-users mailing list