Snort mailing list archives

Snort Problem running on Ubuntu - Latest Stable version

From: Code Six <code.c6 () gmail com>
Date: Fri, 25 Mar 2011 12:42:08 -0500

Good Afternoon,

I'm having a slight problem with Snort 2.9.0.4 since upgrading to it last
night on my ubuntu servers.
I upgraded some snort sensors last night, and now I'm getting a load of
snort_decoder warnings.

The problem with this is that they are disabled in the config. I also
upgraded some debian servers that are running lenny - this is not happing on
those machines.
It's only on the ubuntu servers.

Mar 25 06:43:34 neo-edgeids1 snort[19175]: (snort_decoder) WARNING: TCP
Header length exceeds packet length!
Mar 25 06:43:34 neo-edgeids1 snort[19175]: (snort_decoder) WARNING:
Experimental Tcp Options found
Mar 25 06:43:34 neo-edgeids1 snort[19175]: (snort_decoder) WARNING: TCP Data
Offset is less than 5!
Mar 25 06:43:35 neo-edgeids1 snort[19175]: (snort_decoder) WARNING: TCP
packet len is smaller than 20 bytes!
Mar 25 06:43:37 neo-edgeids1 snort[19175]: (snort_decoder) WARNING:
Truncated Tcp Options
Mar 25 06:43:37 neo-edgeids1 snort[19175]: (snort_decoder) WARNING:
Truncated Tcp Options
Mar 25 06:43:37 neo-edgeids1 snort[19175]: (snort_decoder) WARNING:
Experimental Tcp Options found
Mar 25 06:43:38 neo-edgeids1 snort[19175]: (snort_decoder) WARNING:
Experimental Tcp Options found
Mar 25 06:43:38 neo-edgeids1 snort[19175]: (snort_decoder) WARNING:
Experimental Tcp Options found
Mar 25 06:43:38 neo-edgeids1 snort[19175]: (snort_decoder) WARNING:
Experimental Tcp Options found
Mar 25 06:43:38 neo-edgeids1 snort[19175]: (snort_decoder) WARNING:
Experimental Tcp Options found
Mar 25 06:43:38 neo-edgeids1 snort[19175]: (snort_decoder) WARNING:
Experimental Tcp Options found


Last night I was also getting the following in my logs and had to start
snort with --snaplen 1518 in order to make it stop
Mar 25 01:00:15 neo-edgeids1 snort[27447]: (snort_decoder) WARNING: IP dgm
len > captured len!
Mar 25 01:00:15 neo-edgeids1 snort[27447]: (snort_decoder) WARNING: IP dgm
len > captured len!
Mar 25 01:00:15 neo-edgeids1 snort[27447]: (snort_decoder) WARNING: IP dgm
len > captured len!
Mar 25 01:00:15 neo-edgeids1 snort[27447]: (snort_decoder) WARNING: IP dgm
len > captured len!
Mar 25 01:00:15 neo-edgeids1 snort[27447]: (snort_decoder) WARNING: IP dgm
len > captured len!
Mar 25 01:00:15 neo-edgeids1 snort[27447]: (snort_decoder) WARNING: IP dgm
len > captured len!
Mar 25 01:00:15 neo-edgeids1 snort[27447]: (snort_decoder) WARNING: IP dgm
len > captured len!
Mar 25 01:00:15 neo-edgeids1 snort[27447]: (snort_decoder) WARNING: IP dgm
len > captured len!
Mar 25 01:00:15 neo-edgeids1 snort[27447]: (snort_decoder) WARNING: IP dgm
len > captured len!
Mar 25 01:00:15 neo-edgeids1 snort[27447]: (snort_decoder) WARNING: IP dgm
len > captured len!
Mar 25 01:00:15 neo-edgeids1 snort[27447]: (snort_decoder) WARNING: IP dgm
len > captured len!
Mar 25 01:00:15 neo-edgeids1 snort[27447]: (snort_decoder) WARNING: IP dgm
len > captured len!
Mar 25 01:00:15 neo-edgeids1 snort[27447]: (snort_decoder) WARNING: IP dgm
len > captured len!
Mar 25 01:00:15 neo-edgeids1 snort[27447]: (snort_decoder) WARNING: IP dgm
len > captured len!
Mar 25 01:00:15 neo-edgeids1 snort[27447]: (snort_decoder) WARNING: IP dgm
len > captured len!
Mar 25 01:00:15 neo-edgeids1 snort[27447]: (snort_decoder) WARNING: IP dgm
len > captured len!

The decoder section of my config reads like so:

#########################################
# Configure Snort Decoder

config disable_decode_alerts
config disable_tcpopt_experimental_alerts
config disable_tcpopt_obsolete_alerts
config disable_tcpopt_ttcp_alerts
config disable_tcpopt_alerts
config checksum_mode: noudp
config disable_ipopt_alerts
config disable_decode_drops
config detection: search-method ac-bnfa max_queue_events 5
config event_queue: max_queue 8 log 3 order_events content_length
config tagged_packet_limit: 5


Any ideas?

------------------------------------------------------------------------------
Enable your software for Intel(R) Active Management Technology to meet the
growing manageability and security demands of your customers. Businesses
are taking advantage of Intel(R) vPro (TM) technology - will your software 
be a part of the solution? Download the Intel(R) Manageability Checker 
today! http://p.sf.net/sfu/intel-dev2devmar

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Snort Problem running on Ubuntu - Latest Stable version Code Six (Mar 25)