7.24.7 Events handled by net_weird
net_weird (name: string)
- is invoked for “weird” events that cannot be associated with
a particular connection or set of hosts. Except as noted, the
default action for all such events is
WEIRD_FILE
.
net_weird
handles the following events:
bad_IP_checksum
- A packet had a bad IP header checksum.
bad_TCP_header_len
- The length of the TCP header (which is
itself specified in the header) was smaller than the minimum
allowed size.
internally_truncated_header
- A captured packet with a valid
IP length field was smaller as actually recorded, such that the
captured version of the packet was illegally small. This event
may reflect an error in Bro's packet capture hardware or software.
Default: WEIRD_LOG_ALWAYS
, because this event can indicate
a basic problem with Bro's packet capture.
truncated_IP
- A captured packet either was too small to
include a minimal IP header, or the full length as recorded by
the packet capture library was smaller than the length as indicated
by the IP header.
truncated_header
- An IP datagram's header indicates a length
smaller than that required for the indicated transport type (TCP,
UDP, ICMP).