Snort mailing list archives
Re: Garbage in snort logs
From: Martin Roesch <roesch () sourcefire com>
Date: Wed, 09 Jan 2002 00:51:17 -0500
Hi Russell, I made some tweaks to stream4 tonight that will hopefully clear up your problem, check out the latest code from cvs if you're interested (the SNORT_1_8 branch, not the 1.9-dev code). This is build 89. It now fills in the Ethernet headers appropriately and is a little tigher in how it puts things together, hopefully it'll clear up your problem. Let me know how it goes. -Marty russell wrote:
I have made some progress in working out what is going on. I now have two snort sensors working in parallel so I can twiddle the config file of one and see how the logs compare to the 'standard' config. I have now established that commenting out the 'preprocessor stream4_reassemble' has the affect of not logging the packets with MAC address 0. I.e. I don't get alerts at all for these events when the reassembling is not enabled. This suggests that the problems are occurring in the reassembling code. I tracked one alert that was logged by the snort instance doing reassembling and not logged by the other. I veirfied from our argus logs that there was a session at this time with the logged port numbers but we failed to find anything in the web server logs that matched the logged content of the packet (an attempt to execute command.exe by escaping from _vti_bin). This suggests to me that there is packet corruption taking place in the packet reassembling *before* the pattern matching takes place and that packets from different tcp streams are being mixed. From the look of the data in the logged packets I would guess that some length are not being correctly set so the data from some previous packet gets appended. -- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999 Sourcefire: Professional Snort Sensor and Management Console appliances roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Garbage in snort logs russell (Jan 06)
- Re: Garbage in snort logs Phil Wood (Jan 07)
- Re: Garbage in snort logs Jim Forster (Jan 07)
- preprocessor Ganu Skop (Jan 07)
- Re: preprocessor Martin Roesch (Jan 08)
- <Possible follow-ups>
- Re: Garbage in snort logs russell (Jan 07)
- Re: Garbage in snort logs Phil Wood (Jan 08)
- Re: Garbage in snort logs russell (Jan 08)
- Re: Garbage in snort logs Martin Roesch (Jan 08)
- Re: Garbage in snort logs Martin Roesch (Jan 08)
- Re: Garbage in snort logs Andreas Östling (Jan 10)
- "Connnection closed"? (spelled wrong!) Edwin Eefting (Jan 10)
- Re: "Connnection closed"? (spelled wrong!) John Sage (Jan 13)
- Re: Garbage in snort logs Phil Wood (Jan 07)
- Re: Garbage in snort logs Phil Wood (Jan 09)
- Getting an error using -r Ken Pickering (Jan 09)
- Re: Getting an error using -r Ken Pickering (Jan 09)
- CVS version not finding pcap includes Bob Van Cleef (Jan 09)
- Re: Garbage in snort logs Frank (Jan 10)