[Snort-users] Dont discard truncated packets

Felix Erlacher felix.erlacher at ...17726...
Thu Jan 26 14:04:22 EST 2017

Hi all,

I have a pcap trace with one packet containing payload for a rule I want
to test. The packet is truncated. The rule does not trigger an alert.
I can see in the protocol statistics that one IPv4 packet is discarded.
As I only have one packet in the trace I assume it is discarded because
it is truncated.

Can I tell Snort to not discard truncated packets?

Or better, not to discard packets with "basic encoding integrity flaws"
as the manual calls it.
I tried various preproc options from the manual, always with the result
of truncated packets being discarded.
While I am aware that having Snort analyze truncated packets might not
be the best of ideas, it would be helpful in various test scenarios.

BTW: I am using the "-k none" switch, so this problem shouldn't be
caused by checksum errors.

Felix Erlacher

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20170126/bc0b3bf3/attachment.sig>

More information about the Snort-users mailing list