Snort mailing list archives
Re: False alarm due to wrong byteordering
From: Martin Roesch <roesch () sourcefire com>
Date: Thu, 26 Jul 2001 11:31:17 -0400
Looks like a problem in spp_defrag, check out spp_frag2 and see if you
see any more byte ordering problems.
-Marty
Ralf Hildebrandt wrote:
On Tue, Jul 17, 2001 at 04:02:13PM +0200, Ralf Hildebrandt wrote:Today I got this in the log: Jul 17 08:11:00 stahlw06 snort: MISC loopback traffic [Classification: Potentially Bad Traffic Priority: 2]: 127.75.134.169:0 -> 71.92.134.169:0 which is wrong. It should have been: 134.169.127.75:0 -> 134.169.71.92:0 instead. I assume, there's some error in the byteorder for network addresses under HP-UX 10.20...I've got more details about this byte-ordering problem: Jul 26 07:54:25 stahlw06 snort: [103:2:1] Incomplete Packet Fragments Discarded {UDP} 134.169.64.93:0 -> 134.169.26.6:0 Jul 26 07:54:25 stahlw06 snort: [103:2:1] Incomplete Packet Fragments Discarded {UDP} 134.169.64.93:0 -> 134.169.26.6:0 Jul 26 08:02:34 stahlw06 snort: [103:2:1] Incomplete Packet Fragments Discarded {UDP} 134.169.26.6:0 -> 134.169.26.38:0 Jul 26 08:02:34 stahlw06 snort: [103:2:1] Incomplete Packet Fragments Discarded {UDP} 134.169.26.6:0 -> 134.169.26.38:0 These are perfectly OK, correct order and all. Jul 26 08:28:32 stahlw06 snort: [103:2:1] Incomplete Packet Fragments Discarded {IP} 220.225.134.169 -> 71.89.134.169 Just this one's badly ordered! All with today's CVS snapshot. -- ralf.hildebrandt () innominate com innominate AG Technical Consultant Don't be afraid of what you see - Diplom-Informatiker be afraid of what you don't see! tel: +49.(0)7000.POSTFIX fax: +49.(0)30.308806-77 _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Martin Roesch roesch () sourcefire com http://www.sourcefire.com - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: http://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- False alarm due to wrong byteordering Ralf Hildebrandt (Jul 17)
- Re: False alarm due to wrong byteordering Ralf Hildebrandt (Jul 26)
- Re: False alarm due to wrong byteordering Martin Roesch (Jul 26)
- Re: False alarm due to wrong byteordering Ralf Hildebrandt (Jul 27)
- Re: False alarm due to wrong byteordering Martin Roesch (Jul 26)
- Re: False alarm due to wrong byteordering Ralf Hildebrandt (Jul 26)