Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Disable snort_decoder

    Scheduled Pinned Locked Moved pfSense Packages
    1 Posts 1 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jochen123
      last edited by

      Hi guys,

      snort sporadically shows this Alert:

      [ ** ] [ 116:255:1 ] (snort_decoder) WARNING: ICMP Original IP Fragmented and Offset Not 0! [ ** ] 
      06/30-17:13:01.314419 xxx.60.xxx.134 -> xxx.18.xxx.29
      ICMP TTL:245 TOS:0x0 ID:30975 IpLen:20 DgmLen:56 DF
      Type:3 Code:3 DESTINATION UNREACHABLE: PORT UNREACHABLE
      ** ORIGINAL DATAGRAM DUMP:
      xxx.18.xxx.29:0 -> xxx.60.xxx.134:0
      UDP TTL:54 TOS:0x0 ID:0 IpLen:20 DgmLen:412
      ** END OF DUMP

      Snort blocks both IPs, although xxx.18.xxx.29 is in the Whitelist. How can I disable the snort_decoder rule?

      Thanks!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.