Next: , Previous: Events handled by flow_weird, Up: weird Module



7.24.7 Events handled by net_weird

net_weird (name: string)
is invoked for “weird” events that cannot be associated with a particular connection or set of hosts. Except as noted, the default action for all such events is WEIRD_FILE.

net_weird handles the following events:

bad_IP_checksum
A packet had a bad IP header checksum.


bad_TCP_header_len
The length of the TCP header (which is itself specified in the header) was smaller than the minimum allowed size.


internally_truncated_header
A captured packet with a valid IP length field was smaller as actually recorded, such that the captured version of the packet was illegally small. This event may reflect an error in Bro's packet capture hardware or software.

Default: WEIRD_LOG_ALWAYS, because this event can indicate a basic problem with Bro's packet capture.

truncated_IP
A captured packet either was too small to include a minimal IP header, or the full length as recorded by the packet capture library was smaller than the length as indicated by the IP header.
truncated_header
An IP datagram's header indicates a length smaller than that required for the indicated transport type (TCP, UDP, ICMP).