[Snort-users] why UDP disc acquire?

Andrey Kiryukhin andrei_1980 at ...1975...
Sat Jun 25 18:54:20 EDT 2016


Thank you, guys. It's realy malformed packet, because  udp length was
incorrect.  In pcap file:
IP total length = 828 bytes
UDP length = 800 bytes , but it must be 808 bytes.  I correct this in
pcap file, and now Snort  generate alerts on this pcap file.  

Thanks.


25.06.2016 15:50, wkitty42 at ...14940... пишет:
> On 06/25/2016 05:01 AM, Andrey Kiryukhin wrote:
>> Why you think that udp packet malformed? Tools like wireshark, tcpdump and
>> tcpreplay handle it correctly.  This packets have only wrong checksum, but i
>>  disable checksum control in Snort by using option "-k none".
> a wrong checksum indicates several possible problems...
>
>    malformed packet
>    corrupted packet
>    modified packet
>    bad checksum formula
>
> yes, some would say that the first three are the same thing but there are subtle 
> differences... the first one is generated incorrectly, the second one has been 
> damaged somewhere along the line and the third one has been modified somehow 
> along the line...
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20160626/e1c3737a/attachment.html>


More information about the Snort-users mailing list