Snort mailing list archives
Re: BUG in stream4 reassemble
From: Chris Green <cmg () sourcefire com>
Date: Mon, 01 Apr 2002 06:50:06 -0500
Peng Yong <ppyy () staff cn99 com> writes:
we use snort Version 1.8.4 (Build 99) to log all the POP3 packets of our private network. and find there are some duplicate packet when we enable stream4_reassemble.
Thats the way S4 reassemble works currently. Perhaps we should always flush the stream the sawe way we do on alerts if the packet is logged. Anyway the way it works is aggregating several packets together and forming a psuedo packet and sending that psuedo packet through the detection engine. In snort 2.0, that will be changed to a real byte stream
if we disable stream4_reassemble, it works ok. the duplicate packet has a feture. The ID of Ip header is always 0. here is a example: 04/01-16:54:22.995507 202.102.2.83:110 -> 192.168.0.99:2979 TCP TTL:240 TOS:0x10 ID:0 IpLen:20 DgmLen:174 is this a BUG of stream4_reassemble? here is our snort.conf: preprocessor frag2 preprocessor stream4: keepstats preprocessor stream4_reassemble: both, ports 110 var MY_NET [192.168.0.0/24] log tcp any 110 <> $MY_NET any
If this had been an alert, I don;t think you would have seen reassembled packets so its a bug with log in conjunction with stream reassembly. Although, if you are going to log everything on those ports, why are you reassembling them? :-) -- Chris Green <cmg () sourcefire com> A watched process never cores. _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- BUG in stream4 reassemble Peng Yong (Apr 01)
- Re: BUG in stream4 reassemble Chris Green (Apr 01)
- <Possible follow-ups>
- BUG in stream4 reassemble Peng Yong (Apr 02)
- Re: BUG in stream4 reassemble Chris Green (Apr 02)