Snort mailing list archives
Snort Wierdness on a NetWinder
From: <rewt () eghetto ca>
Date: Wed, 20 Mar 2002 23:45:32 -0400 (AST)
So I've gone through several versions of snort, and a single known working copy of libpcap (confirmed with tcpdump and others). While tcpdump and other libpcap-related things work fine, snort just does something wierd. When I monitor traffic, no matter what mode I use (sniffer, logger, ids) it exhibits this problem. Note that I've managed to get snort working on dozens of machines that -aren't- netwinders, so I suspect it might be something StrongArm related. Anyways, this is what happens ; the destination ip is replaced with the source ip, and the source ip gets replaced by a incrementing random ip. I think an example is in order. The client is 192.168.100.8, connecting to a ssh server on 192.168.100.166. packet source ip/port destination ip/port ---------------------------------------------------------- 1 192.168.58.345:1168 192.168.100.8:22 2 192.168.58.346:22 192.168.100.166:1168 3 192.168.58.347:1168 192.168.100.8:22 4 192.168.58.348:22 192.168.100.166:1168 and so on. Now there are several peculiar things which kind of disprove my theory that this might be endian or processor related. First off is the fact that the port numbers remain consistent, and the second is the fact that the source ip's increment. Note that the ip's don't always increment by 1, sometimes it's by 5 or 10 or a whole subnet ! Anyways, I'm stuck on this one. I looked at the FAQ, cvs commit logs for snort, and did some google searching, all to no avail. Any help would be appreciated, my NetWinder is getting sad. Cheers. Jonathan _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort Wierdness on a NetWinder rewt (Mar 21)