[Snort-users] Snort3: no rule for "bad cksum"

Russ rucombs at cisco.com
Thu Mar 28 08:18:09 EDT 2019


Snort doesn't actually alert on bad checksums because it is something 
that happens to normal traffic and network nodes are expected to drop 
such packets.  Ideally your Snort deployment would be such that Snort 
expects good checksums and can safely drop those packets too but there 
are times when Snort might need to disregard checksums due to snap 
length, LRO, etc.  In any case, Snort will report these bad checksum counts:

$ snort --help-counts | grep checksum
icmp4.bad_checksum: non-zero icmp checksums (sum)
icmp6.bad_icmp6_checksum: nonzero icmp6 checksums (sum)
ipv4.bad_checksum: nonzero ip checksums (sum)
tcp.bad_tcp4_checksum: nonzero tcp over ip checksums (sum)
tcp.bad_tcp6_checksum: nonzero tcp over ipv6 checksums (sum)
udp.bad_udp4_checksum: nonzero udp over ipv4 checksums (sum)
udp.bad_udp6_checksum: nonzero udp over ipv6 checksums (sum)

These pegs will show up in the shutdown output.  They can also be 
configured to be logged with perf_monitor stats.

Hope that helps.

On 3/28/19 6:58 AM, Meridoff via Snort-users wrote:
> ср, 27 мар. 2019 г. в 12:26, Meridoff <oagvozd at gmail.com 
> <mailto:oagvozd at gmail.com>>:
>     Hello, I 've set up in network {}  table all options concerning
>     cksum evaluating and bad cksum dropping. All is ok - bad cksum
>     packet is not forwarded through snort.
>     But now messeges in log about it. And I've not found any rule for
>     bad cksum in builtin rules.
> Misprinted: "But no messages in log about it"
>     Why? And how I can recognize that packet with bad cksum was
>     alerted/dropped and so on ?
>     Thanks!
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.snort.org
> Go to this URL to change user options or unsubscribe:
> https://lists.snort.org/mailman/listinfo/snort-users
> 	To unsubscribe, send an email to:
> 	snort-users-leave at lists.snort.org
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
> Please follow these rules: https://snort.org/faq/what-is-the-mailing-list-etiquette

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20190328/be1102eb/attachment.html>

More information about the Snort-users mailing list