Overview========Decoding is one of the first processes a packet goes through in Snort.  The decoder has the job of determining which underlying protocols are used inthe packet (such as Ethernet, IP, TCP, etc.) and saves this data along withthe location of the payload/application data in the packet (which it doesn'ttry to decode) and the size of this payload for use by the preprocessor anddetection engines.As the decoder steps through the packet headers, it also looks for errors oranomolies in the fields of these headers, which if configured in snort.conf,can be alerted upon and even dropped if Snort is running in inline mode. For example, if the Ethernet protocol field points to IPv4, but thesize of the packet that was captured (after the Ethernet header) is less than20 bytes (the minimum length for an IPv4 header), Snort will (by default)generate an alert and move the packet out of the decoding phase.While Snort doesn't alert on bad checksums, whether or not Snort is checkingthem affects how the system responds to packets that have been flagged as having bad checksums.  Stream and Frag will not process packets that havebeen flagged as having bad checksums.Note:To enable decoding of GRE encapsulated traffic pass --enable-gre to configure.Configuration=============The following lists the options available for configuring the decoder. "disable" options mean that those alerts are enabled by default and "enable"options mean they are disabled by default.Snort must be running in inline mode for the "drops" options to have any effect.Also, note that alerting must be enabled for the particular alert/drop option pairin order for the "drops" options to work.- Options:    disable_decode_alerts               - By default, decoder alerts are enabled - use this                                          option to disable these alerts.    enable_decode_drops                 - If in inline mode, drop packets that are alerted on.    disable_ipopt_alerts                - Disable alerts generated due to bad IP options.    enable_ipopt_drops                  - Drop packets that are alerted on due to bad IP options.    disable_tcpopt_alerts               - Disable alerts generated due to bad TCP options.    enable_tcpopt_drops                 - Drop packets that are alerted on due to bad TCP options.    disable_ttcp_alerts                 - Disable alerts generated due to detection of T/TCP.    enable_ttcp_drops                   - Drop packets that are alerted on due to T/TCP detection.    disable_tcpopt_obsolete_alerts      - Disable alerts generated due to detection of obsolete                                          TCP options - Skeeter, Bubba and Unassigned.    enable_tcpopt_obsolete_drops        - Drop packets that are alerted on due to obsolete                                          TCP options.    disable_tcpopt_experimental_alerts  - Disable alerts generated due to detection of experimental                                          TCP options (kinds 9,10,15,20,21,22,23,24 - see                                          http://www.iana.org/assignments/tcp-parameters                                          for what these are).    enable_tcpopt_experimental_drops    - Drop packets that are alerted on due to experimental                                          TCP options.    enable_decode_oversized_alerts      - Enable alerts generated due to the length field (IP, TCP, UDP)                                          indicating a larger packet than we captured.  Note that this                                          is the only decoder alert option that is disabled by default.    enable_decode_oversized_drops       - Drop packets that are alerted on due to the header length                                          field indicating a larger packet than we captured.    checksum_mode all|none|noip|notcp|noudp|noicmp|ip|tcp|udp|icmp                                        - By default checksums are computed for IP, TCP, UDP and ICMP.                                          Use this option to disable checksum checking of specific                                          protocols.  Use a space separated list.    checksum_drop all|none|noip|notcp|noudp|noicmp|ip|tcp|udp|icmp                                        - By default packets with bad checksums are not dropped if in                                          inline mode.  Use a space separated list.  Note that Snort                                          must be doing checksums for a particular protocol in order                                          to drop packets with bad checksums for that protocol.   Example configurations======================To enable oversized alerts:    config enable_decode_oversized_alertsTo enable drops on decode events:    config enable_decode_drops    config enable_decode_oversized_alerts    config enable_decode_oversized_dropsTo disable TCP option alerts:    config disable_tcpopt_alerts    config disable_tcpopt_obsolete_alerts    config disable_tcpopt_experimental_alertsTo disable IP and TCP checksum checking    config checksum_mode noip notcpTo drop all packets that have bad checksums    config checksum_drop allAlerts======The decoder uses generator ID 116.The list of SIDs is as follows for each type of alert:decode_alertsSID   Description ---   -----------  1   Ethernet protocol is IPv4 but version field in IPv4 header has a value other      than 4  2   IPv4 header length field contains a value that is less than 20 bytes      (the minimum IPv4 header length)  3   IPv4 length field contains a value that is larger than the captured length of      the packet (starting from IPv4 header) 45   The length of the captured packet (starting from TCP header) is less than      20 bytes (the minimum TCP header length) 46   The value of the TCP offset field is less than 5 words (20 bytes) 95   The length of the captured packet (starting from UDP header) is less than      8 bytes (the UDP header length) 96   The value of the UDP length field is less than the size of a UDP header 97   UDP length field contains a value that is larger than the captured length of      the packet (starting from UDP header)105   The length of the captured packet (starting from ICMP header) is less than      minimum header length for that ICMP type106   The length of the payload (starting from ICMP header) is less than minimum      header length for ICMP Timestamp Request and Reply types107   The length of the payload (starting from ICMP header) is less than minimum      header length for ICMP Address Mask Request and Reply types109   The length of the captured packet (starting from ARP header) is less than the      length of an ARP header110   The length of the captured packet (starting from EAPOL header) is less than the      length of an EAPOL header111   The length of the captured packet (starting from EAP key) is less than the      length of an EAP key 112   The length of the captured packet (starting from EAP header) is less than the      length of an EAP header120   The length of the captured packet (starting from PPPoE header) is less than the      length of a PPPoE header130   The length of the captured packet (starting from VLAN header) is less than the      length of a VLAN (802.1q) header131   The length of the captured packet (starting from VLAN header) is less than the      length of a VLAN (802.1q) header plus the LLC header132   The length of the captured packet (starting from VLAN header) is less than the      length of a VLAN (802.1q) header plus the LLC header plus the SNAP header133   The length of the captured packet (starting from 802.11 header) is less than      the length of a 802.11 data header plus LLC header140   The length of the captured packet (starting from Token Ring header) is less      than the length of a Token Ring header141   The length of the captured packet (starting from Token Ring header) is less      than the length of a Token Ring header plus LLC header142   The length of the captured packet (starting from Token Ring header) is less      than the length of a Token Ring header plus LLC header plus MR header plus      value of length field in MR header143   The length of the captured packet (starting from Token Ring header) is less      than the length of a Token Ring header plus LLC header plus MR header150   The source and/or destination IPv4 address are the loopback address (127.0.0.1)151   The source and destination IPv4 addresses are the same 250   The length of the captured packet (starting from the ICMP encapsulated IP header)      is less than the minimum length of an IPv4 header251   The encapsulated IPv4 header of an ICMP packet has a value other than      4 in version field252   The length of the captured packet (starting from the ICMP encapsulated IP header)      is less than the ICMP encapsulated IP header length253   The ICMP encapsulated IP payload is less than 64 bits (at least 64 bits must      be included - RFC 792)254   The ICMP encapsulated IP payload is greater than 576 bytes255   The ICMP encapsulated IP was fragmented, but the fragment offset is not 0      (an ICMP message is only returned for the first fragment)If GRE is enabled (--enable-gre was given to configure)160   The length of the captured packet (starting from GRE header) is less than the      length of a GRE header161   There are multiple GRE encapsulations in the packet (currently not allowed)ipopt_alertsSID   Message---   -------  4   A bad length was found in IPv4 options  5   Truncated IPv4 optionstcpopt_alertsSID   Message---   ------- 54   A bad length was found in TCP options 55   Truncated TCP optionsttcp_alertsSID   Message---   ------- 56   T/TCP was detectedtcpopt_obsolete_alertsSID   Message---   ------- 57   Obsolete TCP options foundtcpopt_experimental_alertsSID   Message---   ------- 58   Experimental TCP options founddecode_oversized_alertsSID   Message---   -------  6   The IPv4 length field contains a value that is greater than the length      of the captured packet (starting from the IPv4 header) 47   The TCP header length field contains a value that is greater than the length      of the captured packet (starting from the TCP header) 98   The UDP header length field contains a value that is greater than the length      of the captured packet (starting from the UDP header)