Snort mailing list archives
Packet weirdness
From: tyler () ibill com
Date: Thu, 7 Feb 2002 09:36:34 -0500
Gang, Here's my scenario.. I have a box that is setup running apache and snort with demarc. Works great. I've also turned on Proxying in apache and put a pass rule in for traffic from that box [so we can allow certain users access to AIM through the proxy, but alert on unauth users]. This setup should work fine I would think. Every now and then tho, I start getting a lot of alarms for AIM, so I look at the packets and such. It's like the aim packets going in to the proxy server are somehow overwriting the packet that snort is currently examining in memory and causing snort to think it's an AIM packet so it then sends an alert. I say this as when I look at the packet details for the alarm, it's from a different machine than the one that sent the aim message, to a machine on the internet that is NOT aol, and the payload STARTS with part of an AIM packet, but then changes to that of an email message, web request, or some other non-AIM traffic. Unfortunately I don't have a copy of an example packet, as this is only intermittent and doesn't happen all the time, but does anyone have any insight into this? I'm using snort 1.8.3 on Redhat 7.2... tf. ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager at postmaster () ibill com. ********************************************************************** _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Packet weirdness tyler (Feb 07)
- Re: Packet weirdness Chris Green (Feb 07)
- <Possible follow-ups>
- RE: Packet weirdness tyler (Feb 07)
- Re: Packet weirdness Chris Green (Feb 07)
- re: Packet weirdness Wynn Fenwick (Feb 07)
- re: Packet weirdness Wynn Fenwick (Feb 07)