Provided by Aanval (Snort & Syslog Intrusion Detection and Correlation Engine) www.aanval.com
--
| GEN:SID | 1:521 |
| Message | MISC Large UDP Packet |
| Summary | This event is generated when an overly large UDP packet is observed. |
| Impact | Possible denial of service. UDP packet payloads are typically smaller than 4000 bytes. One possible explanation of a payload of greater than 4000 bytes is an attempted denial of service. |
| Detailed Information | UDP payloads are typically smaller than 4000 bytes since the UDP protocol is intended to be used for the transmission of smaller payloads. When a large payload is observed, it may be a sign or anomalous activity, perhaps an attempted denial of service against the remote host. |
| Affected Systems | Any system that listens for a UDP service. |
| Attack Scenarios | An attacker may craft large UDP payloads in an attempt to cause a denial of service against a remote host. |
| Ease of Attack | Simple. |
| Corrective Action | Allow only known UDP protocols inbound. |
| Additional References | Arachnids: http://www.whitehats.com/info/IDS521 |
| Rule References | arachnids: 247 |
--
DID:637674
--
http://www.aanval.com/