snort 1.8.3 splicing packets

["Scott Nursten" <scottn () s2s ltd uk>]

Greetings all,

Anyone had strange behaviour out of Snort 1.8.3? I've had two really
strange incidents being:

1. Snort seems to be splicing packets - i.e. If I nmap a machine and
surf the web at the same time, I get ICMP/HTTP spliced packets in my
MySQL DB. At first it looked really scary, like ICMP tunnelling or
something to that effect, but when I realised that I controlled what
went into the ICMP packet, I dropped a Trinux box on the network and
dumped the packets alongside snort. The result was astounding - no HTTP
data in my ICMP packets  after all :) 

2. A friend of mine has just installed 1.8.3 and seems to be having some
difficulty reading some of the tcpdump format log files with tcpdump ||
snort. It seems that it has some difficulties with the pcap. 

tcpdump: pcap_loop: bogus savefile header

This is very strange to me as both the tcpdump and the snort were
compiled with a fresh 0.6.2 pcap from tcpdump.org. What's even stranger
is he can read SOME of the files that snort writes, but not others!!!  

Any ideas, questions, comments?! 

Regards, 

Scott Nursten 



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users