Snort mailing list archives

Re: A weird packet..... perhaps a bug?

From: Erek Adams <erek () snort org>
Date: Mon, 3 Feb 2003 07:10:18 -0500 (EST)

On Mon, 2 Feb 2003, Frank Knobbe wrote:

I recently caught the packet below with Snort 1.9 compiled Jan 29 from
CVS. It lists some weird content. The upper half looks like a valid HTTP
requests (I verified that that image exists and is indeed called from
the referring page). The bottom half looks like a snippet from an email,
which would explain why this packet triggered on port 25.

Has anyone seen a similar mangled packet? Is there a bug in Snort where
the packet buffer gets overwritten half-way?


[...snip...]

Frank, do you have a pcap of that packet?  If so, try it out against the
2.0 CVS version.  There was a case that was fixed in CVS that would cause
something like this.

-----
Erek Adams

   "When things get weird, the weird turn pro."   H.S. Thompson


-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

A weird packet..... perhaps a bug? Frank Knobbe (Feb 02)
- Re: A weird packet..... perhaps a bug? Erek Adams (Feb 03)
- Re: [Snort-devel] A weird packet..... perhaps a bug? Chris Green (Feb 03)
- Re: A weird packet..... perhaps a bug? Kenneth G. Arnold (Feb 03)
- <Possible follow-ups>
- RE: A weird packet..... perhaps a bug? Cornelis, Dirk (BE - Diegem) (Feb 03)