Snort mailing list archives
Re: A weird packet..... perhaps a bug?
From: Erek Adams <erek () snort org>
Date: Mon, 3 Feb 2003 07:10:18 -0500 (EST)
On Mon, 2 Feb 2003, Frank Knobbe wrote:
I recently caught the packet below with Snort 1.9 compiled Jan 29 from CVS. It lists some weird content. The upper half looks like a valid HTTP requests (I verified that that image exists and is indeed called from the referring page). The bottom half looks like a snippet from an email, which would explain why this packet triggered on port 25. Has anyone seen a similar mangled packet? Is there a bug in Snort where the packet buffer gets overwritten half-way?
[...snip...] Frank, do you have a pcap of that packet? If so, try it out against the 2.0 CVS version. There was a case that was fixed in CVS that would cause something like this. ----- Erek Adams "When things get weird, the weird turn pro." H.S. Thompson ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- A weird packet..... perhaps a bug? Frank Knobbe (Feb 02)
- Re: A weird packet..... perhaps a bug? Erek Adams (Feb 03)
- Re: [Snort-devel] A weird packet..... perhaps a bug? Chris Green (Feb 03)
- Re: A weird packet..... perhaps a bug? Kenneth G. Arnold (Feb 03)
- <Possible follow-ups>
- RE: A weird packet..... perhaps a bug? Cornelis, Dirk (BE - Diegem) (Feb 03)