Snort mailing list archives
Weird packets revisited
From: Kevin Peuhkurinen <kevin.peuhkurinen () hepcoe com>
Date: Mon, 03 Feb 2003 13:40:29 -0500
Odd that Frank Knobbe would bring up his problem with mystery packets at the same time that I am revisiting the problem.
To rehash my story, I'm getting erroneous "PNP Gnutella GET" alerts apparently being triggered by outgoing smtp traffic from my mail server. When I look at the packets in ACID or via Ethereal directly on the tcpdump log file, there are serious problems with the headers (bad or missing checksums, for instance), and the payload appears to be a mixture of HTTP and SMTP traffic. When I posted about this back in December, it was suggested to me that it was either a problem that had already been fixed or a case of dropped packets.
Now I am running Barnyard and have no more dropped packets. I am running the latest Snort Stable release (build 227) and am still experiencing the phenomenon. Fortunately, I have finally been able to grab a dump of all outgoing SMTP and HTTP traffic which can trigger the alert if I run Snort on it, so I can say a few things. The problem appears to happen when a lengthy HTTP conversation with file transfers occurs at the same time as a lengthy email with a large attachment is going out. It is definately related to stream4 since the alert doesn't get triggered if I run Snort on the capture file without the stream4 preprocessor enabled.
I'd really like to help get this strange problem solved. If there is anything I can do to help out, let me know.
Kevin ------------------------------------------------------- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Weird packets revisited Kevin Peuhkurinen (Feb 03)