[Snort-users] why UDP disc acquire?
andrei_1980 at ...1975...
Sat Jun 25 18:54:20 EDT 2016
Thank you, guys. It's realy malformed packet, because udp length was
incorrect. In pcap file:
IP total length = 828 bytes
UDP length = 800 bytes , but it must be 808 bytes. I correct this in
pcap file, and now Snort generate alerts on this pcap file.
25.06.2016 15:50, wkitty42 at ...14940... пишет:
> On 06/25/2016 05:01 AM, Andrey Kiryukhin wrote:
>> Why you think that udp packet malformed? Tools like wireshark, tcpdump and
>> tcpreplay handle it correctly. This packets have only wrong checksum, but i
>> disable checksum control in Snort by using option "-k none".
> a wrong checksum indicates several possible problems...
> malformed packet
> corrupted packet
> modified packet
> bad checksum formula
> yes, some would say that the first three are the same thing but there are subtle
> differences... the first one is generated incorrectly, the second one has been
> damaged somewhere along the line and the third one has been modified somehow
> along the line...
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-users