Weird packets revisited

[Kevin Peuhkurinen <kevin.peuhkurinen () hepcoe com>]

Odd that Frank Knobbe would bring up his problem with mystery packets at 
the same time that I am revisiting the problem.

To rehash my story, I'm getting erroneous "PNP Gnutella GET" alerts 
apparently being triggered by outgoing smtp traffic from my mail server. 
  When I look at the packets in ACID or via Ethereal directly on the 
tcpdump log file, there are serious problems with the headers (bad or 
missing checksums, for instance), and the payload appears to be a 
mixture of HTTP and SMTP traffic.    When I posted about this back in 
December, it was suggested to me that it was either a problem that had 
already been fixed or a case of dropped packets.

Now I am running Barnyard and have no more dropped packets.   I am 
running the latest Snort Stable release (build 227) and am still 
experiencing the phenomenon.     Fortunately, I have finally been able 
to grab a dump of all outgoing SMTP and HTTP traffic which can trigger 
the alert if I run Snort on it, so I can say a few things.    The 
problem appears to happen when a lengthy HTTP conversation with file 
transfers occurs at the same time as a lengthy email with a large 
attachment is going out.    It is definately related to stream4 since 
the alert doesn't get triggered if I run Snort on the capture file 
without the stream4 preprocessor enabled.

I'd really like to help get this strange problem solved.  If there is 
anything I can do to help out, let me know.

Kevin



-------------------------------------------------------
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users