[Snort-users] why UDP disc acquire?

Andrey Kiryukhin andrei_1980 at ...1975...
Sat Jun 25 05:01:58 EDT 2016


Why you think that udp packet malformed? Tools like wireshark, tcpdump
and tcpreplay handle it correctly.  This packets have only wrong
checksum, but i disable checksum control in Snort by using option "-k
none".



24.06.2016 19:05, Al Lewis (allewi) пишет:
>
> It looks like snort is discarding them because they are all malformed.
>
> *Albert Lewis*
>
> QA SNORT/Sourcefire
>
> SOURCE*fire*, Inc. now part of *Cisco*
>
> 9780 Patuxent Woods Drive
> Columbia, MD 21046 
>
> Phone: (office) 443.430.7112
>
> Email: allewi at ...589... <mailto:allewi at ...589...> 
>
>
>
> From: Andrei_1980 <andrei_1980 at ...1975... <mailto:andrei_1980 at ...1975...>>
> Date: Friday, June 24, 2016 at 11:28 AM
> To: allewi <allewi at ...589... <mailto:allewi at ...589...>>, 'snort-users'
> <snort-users at lists.sourceforge.net
> <mailto:snort-users at lists.sourceforge.net>>
> Subject: Re: [Snort-users] why UDP disc acquire?
>
> hmm, strange. I,m attach pcap to first message. Ok reatach to this
> message.
>
> On 24.06.2016 18:22, Al Lewis (allewi) wrote:
>> Hello,
>>
>> Can you provide us with the pcap or a sample of it?
>>
>>
>> *Albert Lewis*
>>
>> QA SNORT/Sourcefire
>>
>> SOURCE*fire*, Inc. now part of *Cisco*
>>
>> 9780 Patuxent Woods Drive
>> Columbia, MD 21046 
>>
>> Phone: (office) 443.430.7112
>>
>> Email: allewi at ...589... 
>>
>>
>>
>> From: Andrei_1980 <andrei_1980 at ...1975...>
>> Date: Friday, June 24, 2016 at 11:06 AM
>> To: 'snort-users' <snort-users at lists.sourceforge.net>
>> Subject: [Snort-users] why UDP disc acquire?
>>
>> Hi all. I use snort 2.9.8.2 A have some pcap file for old attack (see
>> attach) .  It contain only udp packets.
>> I wrote test rule: 
>>
>> alert udp any 500 -> any 500 (msg:"DOS Nbisakmp"; classtype:
>> attempted-dos; sid:1000001; rev:1;)
>>
>> and run snort:
>>
>> snort  -c ./etc/snort.conf -A console -K none  -k none  -r
>> ./pcaps/DOS_Nbisakmp.pcap
>>
>> and get no alerts. In output stats i have: 
>>
>> ...........
>> Packet I/O Totals:
>>    Received:          100
>>    Analyzed:          100 (100.000%)
>>     Dropped:            0 (  0.000%)
>>    Filtered:            0 (  0.000%)
>> Outstanding:            0 (  0.000%)
>>    Injected:            0
>> .....................
>>
>> Breakdown by protocol (includes rebuilt packets):
>>         Eth:          100 (100.000%)
>>        VLAN:            0 (  0.000%)
>>         IP4:          100 (100.000%)
>>        Frag:            0 (  0.000%)
>>        ICMP:            0 (  0.000%)
>>         UDP:          100 (100.000%)
>> ...................
>> * UDP Disc:          100 (100.000%)*
>>   ICMP Disc:            0 (  0.000%)
>> All Discard:          100 (100.000%)
>>
>> (full output and snort.conf see in attach)
>>
>>
>> If i change rule  (udp to ip)  :
>>
>> alert *ip* any 500 -> any 500 (msg:"DOS Nbisakmp"; classtype:
>> attempted-dos; sid:1000001; rev:1;)
>> all packets generate alerts. 
>>
>>
>> So, why UDP packets in sample pcap discarded if i use udp protocol in
>> alert?
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160625/287f91e4/attachment.html>


More information about the Snort-users mailing list