[Snort-users] 1.9.0 and "Unknown Datagram decoding problem"
Jason Haar
management server talks to any host over our VPN. It appears to be matching
on UDP SNMP frags (exp: with VPNs, you tend to see a LOT more fragged
traffic than "normal" networks).
Any timeframe for either fixing this or being able to disable it?
--
Cheers
Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list
Erek Adams
> On our network, this alert is triggering every time our SNMP network
> management server talks to any host over our VPN. It appears to be matching
> on UDP SNMP frags (exp: with VPNs, you tend to see a LOT more fragged
> traffic than "normal" networks).
Hrm... It seems that it's not from SNMP but from an ICMP_DEST_UNREACHABLE or
ICMP_REDIRECT.
If you have it, I'd suggest grabbing a pcap of some of those packets and then
building a debug version of snort. Enable debugging in the decoder and then
run the pcap thru it to track down what it's really doing.
> Any timeframe for either fixing this or being able to disable it?
With the right info, you should be able to write a BPF filter to drop the
packets that are causing it for now.
Cheers!
-----
Erek Adams
Nifty-Type-Guy
TheAdamsFamily.Net
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
Chris Green
> On Wed, 9 Oct 2002, Jason Haar wrote:
>
>> On our network, this alert is triggering every time our SNMP network
>> management server talks to any host over our VPN. It appears to be matching
>> on UDP SNMP frags (exp: with VPNs, you tend to see a LOT more fragged
>> traffic than "normal" networks).
>
Please give me a pcap of the traffic that it is generating alerts on.
I made the default "we don't know how to decode this or we screwed up
decoding", do a bit more verbosity rather than the ErrorMessages() it
used to do.
In the meantime,
config disable_decode_alerts
in your snort.conf will help.
> Hrm... It seems that it's not from SNMP but from an ICMP_DEST_UNREACHABLE or
> ICMP_REDIRECT.
>
> If you have it, I'd suggest grabbing a pcap of some of those packets and then
> building a debug version of snort. Enable debugging in the decoder and then
> run the pcap thru it to track down what it's really doing.
>
>> Any timeframe for either fixing this or being able to disable it?
>
> With the right info, you should be able to write a BPF filter to drop the
> packets that are causing it for now.
>
> Cheers!
>
> -----
> Erek Adams
> Nifty-Type-Guy
> TheAdamsFamily.Net
>
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Snort-users mailing list
> Snort...@lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users
--
Chris Green <c...@sourcefire.com>
Don't use a big word where a diminutive one will suffice.