Snort mailing list archives
snort 1.8.3 splicing packets
From: "Scott Nursten" <scottn () s2s ltd uk>
Date: Thu, 10 Jan 2002 17:16:30 -0000
Greetings all, Anyone had strange behaviour out of Snort 1.8.3? I've had two really strange incidents being: 1. Snort seems to be splicing packets - i.e. If I nmap a machine and surf the web at the same time, I get ICMP/HTTP spliced packets in my MySQL DB. At first it looked really scary, like ICMP tunnelling or something to that effect, but when I realised that I controlled what went into the ICMP packet, I dropped a Trinux box on the network and dumped the packets alongside snort. The result was astounding - no HTTP data in my ICMP packets after all :) 2. A friend of mine has just installed 1.8.3 and seems to be having some difficulty reading some of the tcpdump format log files with tcpdump || snort. It seems that it has some difficulties with the pcap. tcpdump: pcap_loop: bogus savefile header This is very strange to me as both the tcpdump and the snort were compiled with a fresh 0.6.2 pcap from tcpdump.org. What's even stranger is he can read SOME of the files that snort writes, but not others!!! Any ideas, questions, comments?! Regards, Scott Nursten _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort 1.8.3 splicing packets Scott Nursten (Jan 10)
- Re: snort 1.8.3 splicing packets Ryan Russell (Jan 10)
- Re: snort 1.8.3 splicing packets Martin Roesch (Jan 10)