Disable snort_decoder



  • Hi guys,

    snort sporadically shows this Alert:

    [ ** ] [ 116:255:1 ] (snort_decoder) WARNING: ICMP Original IP Fragmented and Offset Not 0! [ ** ] 
    06/30-17:13:01.314419 xxx.60.xxx.134 -> xxx.18.xxx.29
    ICMP TTL:245 TOS:0x0 ID:30975 IpLen:20 DgmLen:56 DF
    Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE
    ** ORIGINAL DATAGRAM DUMP:
    xxx.18.xxx.29:0 -> xxx.60.xxx.134:0
    UDP TTL:54 TOS:0x0 ID:0 IpLen:20 DgmLen:412
    ** END OF DUMP

    Snort blocks both IPs, although xxx.18.xxx.29 is in the Whitelist. How can I disable the snort_decoder rule?

    Thanks!


Log in to reply