Snort mailing list archives

Re: IP short header

From: Peter Kahle <pkahle () pobox com>
Date: Sat, 2 Mar 2002 22:45:19 -0600


Message: 7
Date: Sat, 2 Mar 2002 15:55:15 -0800
From: John Sage <jsage () finchhaven com>
To: Render-Vue <sales () render-vue com>
Cc: snort-users () lists sourceforge net
Subject: Re: [Snort-users] IP short header

Well, the short answer that doesn't tell you much is that the IP
header is expected to be 20 bytes long.

What you're receiving is only 18 long, and it triggers a rule in
-- hmm.. I can't grep for 'short header' in *.rules -- what version of
snort did you say you were running, and what platform ;-) ?

 
 This looks suspiciously like a DEBUG printf in DecodeIPOnly (I'm
 looking in 1.8.1 source, I think):
 printf("ICMP Unreachable IP header length: %lu\n", (unsigned long)hlen);

 So it may not be in a rule at all.
 P

-- 

Those who would give up essential Liberty to purchase a little temporary 
safety, deserve neither Liberty nor safety.
                                        -- Ben Franklin

|| Peter M Kahle Jr              ||     PGP Public Key on Keyservers     ||
|| pkahle () pobox com              ||    http://pops.dyndns.com/~pkahle/   || 
##===============================##======================================##

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

IP short header Render-Vue (Mar 02)
- Re: IP short header John Sage (Mar 02)
- Re: IP short header Chris Green (Mar 02)
- <Possible follow-ups>
- Re: IP short header Render-Vue (Mar 02)
- Re: IP short header Peter Kahle (Mar 02)
  - Re: Re: IP short header Fyodor (Mar 03)