Does Bro have any way to handle corrupt packets that appear to be impossibly large? When we get those in our setup, it hangs. Thanks.
You're going to have to define "impossibly large". Could you also describe more what you mean when you say it hangs too?
Just a pre-guess though… Do you have any NIC features enabled for extended packet handling?
http://securityonion.blogspot.com/2011/10/when-is-full-packet-capture-not-full.html
.Seth
Our current best guess is 1,766,926,155 bytes. That's clearly far above
the jumbo limit, or any other limit I can think of. When we try to open
that packet in Wireshark, it's corrupt, which I believe to be true.
How does Bro handle such a case? Does it understand that such a thing is
corrupt?
How was this packet acquired? It sounds like you have a corrupted packet capture.
.Seth
Most network adapters have LRO on by default. This can translate to large packets on bro input. If you running bro on linux you see this behavior.
Most network adapters have LRO on by default. This can translate to large packets on bro input. If you running bro on linux you see this behavior.