Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: snort 1.8.3 splicing packets

From: Ryan Russell <ryan () securityfocus com>
Date: Thu, 10 Jan 2002 11:15:54 -0700 (MST)
On Thu, 10 Jan 2002, Scott Nursten wrote:


1. Snort seems to be splicing packets - i.e. If I nmap a machine and
surf the web at the same time, I get ICMP/HTTP spliced packets in my
MySQL DB. At first it looked really scary, like ICMP tunnelling or
something to that effect, but when I realised that I controlled what
went into the ICMP packet, I dropped a Trinux box on the network and
dumped the packets alongside snort. The result was astounding - no HTTP
data in my ICMP packets  after all :)


Russell Fulton has recently reported similar results on the Snort-users
list recently.  In his case, the problem appears to be related to the
stream4 preprocessor.  As a test, could you try temporarily running with
that shut off for a bit, and see if the problem is still there?  Marty has
reported that he has made some changes to it to address this in the
latest 1.8.3 CVS copy.

                                        Ryan


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: