Snort mailing list archives
Re: Re: Garbage in snort logs
From: Martin Roesch <roesch () sourcefire com>
Date: Thu, 10 Jan 2002 16:53:42 -0500
The stream_size calculation in stream4 is what's causing the problem, I'm working on it as we speak. I'll be checking in a new build in a bit, I'll let you guys know when it's ready. -Marty Russell Fulton wrote:
From: Andreas =?iso-8859-1?q?=D6stling?= <andreaso () it su se> Hello, I experience the same problems as Russell from time to time. I was running 1.8.3 (release version), but unfortunately build 89 did not solve all problems. The ethernet headers now seem to be correct, but the payload is still messed up.[ snip ]This is just a test machine so I'll try to experiment a bit. Any clever suggestions about what may be worth trying? To me it seems like its always those unicode requests that mess things up. Could there also be some problem with http_decode?Agreed.(did build 89 solve your problems, Russell?)no, my experience mirrors yours. I please I no longer alone I was starting to think I must have been imagining these problems ;-) Here is some mail I sent to Marty this morning which has some other ideas on this problem... Hi Marty, I have just been corresponding with Brennan Bakke <bbakke () solcon nl> who reported finding bits of snort rules in logged ICMP packets (on the security focus incidents list). I told him about the build 89 fixes and suggested that these might fix his problems. Someone else pointed out (quite rightly) that the ICMP packets should not go anywhere near the stream4 preprocessor! So I wonder if there is a bug somewhere much lower down in the stack which is mangling some lenght and causing both these problems. In my case turning off he stream4 stuff made makes these alerts go away but that does *not* necessarily imply that it is the stream4 stuff that is causing the problem in the first place. Cheers, Russell. -- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999 Sourcefire: Professional Snort Sensor and Management Console appliances roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: Garbage in snort logs, (continued)
- Re: Garbage in snort logs Andreas Östling (Jan 10)
- "Connnection closed"? (spelled wrong!) Edwin Eefting (Jan 10)
- Re: "Connnection closed"? (spelled wrong!) John Sage (Jan 13)
- Re: Garbage in snort logs Phil Wood (Jan 09)
- Getting an error using -r Ken Pickering (Jan 09)
- Re: Getting an error using -r Ken Pickering (Jan 09)
- CVS version not finding pcap includes Bob Van Cleef (Jan 09)
- Re: Garbage in snort logs Frank (Jan 10)
- Re: Re: Garbage in snort logs Martin Roesch (Jan 10)
- Re: Re: Garbage in snort logs Martin Roesch (Jan 10)