Snort mailing list archives
Re: snort 1.8.3 splicing packets
From: Ryan Russell <ryan () securityfocus com>
Date: Thu, 10 Jan 2002 11:15:54 -0700 (MST)
On Thu, 10 Jan 2002, Scott Nursten wrote:
1. Snort seems to be splicing packets - i.e. If I nmap a machine and surf the web at the same time, I get ICMP/HTTP spliced packets in my MySQL DB. At first it looked really scary, like ICMP tunnelling or something to that effect, but when I realised that I controlled what went into the ICMP packet, I dropped a Trinux box on the network and dumped the packets alongside snort. The result was astounding - no HTTP data in my ICMP packets after all :)
Russell Fulton has recently reported similar results on the Snort-users list recently. In his case, the problem appears to be related to the stream4 preprocessor. As a test, could you try temporarily running with that shut off for a bit, and see if the problem is still there? Marty has reported that he has made some changes to it to address this in the latest 1.8.3 CVS copy. Ryan _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort 1.8.3 splicing packets Scott Nursten (Jan 10)
- Re: snort 1.8.3 splicing packets Ryan Russell (Jan 10)
- Re: snort 1.8.3 splicing packets Martin Roesch (Jan 10)