Snort mailing list archives

Re: Garbage in snort logs

From: Phil Wood <cpw () lanl gov>
Date: Wed, 9 Jan 2002 10:17:03 -0700

Excellent!

On Wed, Jan 09, 2002 at 02:04:38PM +1300, russell wrote:

I have made some progress in working out what is going on.  I now have
two snort sensors working in parallel so I can twiddle the config file
of one and see how the logs compare to the 'standard' config.

I have now established that commenting out the 'preprocessor
stream4_reassemble' has the affect of not logging the packets with MAC
address 0. I.e. I don't get alerts at all for these events when the
reassembling is not enabled.  This suggests that the problems are
occurring in the reassembling code.  

I tracked one alert that was logged by the snort instance doing
reassembling and not logged by the other. I veirfied from our argus logs
that there was a session at this time with the logged port numbers but
we failed to find anything in the web server logs that matched the
logged content of the packet (an attempt to execute command.exe by
escaping from _vti_bin).

This suggests to me that there is packet corruption taking place in the
packet reassembling *before* the pattern matching takes place and that
packets from different tcp streams are being mixed. From the look of the
data in the logged packets I would guess that some length are not being
correctly set so the data from some previous packet gets appended.

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


-- 
Phil Wood, cpw () lanl gov


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: preprocessor, (continued)
- - - Re: preprocessor Martin Roesch (Jan 08)
- Re: Garbage in snort logs russell (Jan 07)
  - Re: Garbage in snort logs Phil Wood (Jan 08)
- Re: Garbage in snort logs russell (Jan 08)
  - Re: Garbage in snort logs Martin Roesch (Jan 08)
  - Re: Garbage in snort logs Martin Roesch (Jan 08)
    - Re: Garbage in snort logs Andreas Östling (Jan 10)
    - "Connnection closed"? (spelled wrong!) Edwin Eefting (Jan 10)
    - Re: "Connnection closed"? (spelled wrong!) John Sage (Jan 13)
- Re: Garbage in snort logs russell (Jan 08)
  - Re: Garbage in snort logs Phil Wood (Jan 09)
    - Getting an error using -r Ken Pickering (Jan 09)
    - Re: Getting an error using -r Ken Pickering (Jan 09)
    - CVS version not finding pcap includes Bob Van Cleef (Jan 09)
- Re: Garbage in snort logs Russell Fulton (Jan 10)
  - Re: Garbage in snort logs Frank (Jan 10)
  - Re: Re: Garbage in snort logs Martin Roesch (Jan 10)
    - Re: Re: Garbage in snort logs Martin Roesch (Jan 10)