Snort mailing list archives
Snort swapping src and dst in binary log?
From: David Gordon <dgordon () mmwec org>
Date: Wed, 9 Jul 2003 11:53:54 -0400
I have a situation where snort seems to be swapping the source IP address with the destination IP address and swapping the source port with the destination port when it writes to a binary log file. Snort is Version 2.0.0 (Build 72) running on linux. I'm starting snort with the -bdeo, -c, -l and -i options. It is running with the preprocessors included in the downloaded conf. On the same computer and same interface I'm also running tcpdump -w (with default snaplen). I have been getting "[**] [1:1432:4] P2P GNUTella GET [**]" alerts occasionally when a certain web page of ours gets a hit. This particular rule alerts when $HOME_NET any -> $EXTERNAL_NET !80 traffic has "GET " in the content. The alert shows our server as the src host, port 80 as the src port, an internet ip address as the dest host and some high port as the dest port. This agrees with the binary log written for that packet by snort. The thing is, when I look at the binary file written by tcpdump, the packet with the exact same timestamp and sequence number shows our server and port 80 as the destination host and port, and the internet ip and high port as the source host and port. This agrees with activity I see recorded in both the firewall and web server logs at that time. It seems that snort has incorrectly handled the packet. Any ideas of what could be causing this? Two observations: 1. The contents of the packets logged by the snort alert typically seem to contain a lot of http content that seems to be unrelated to what should be retrieved from our web site. I can't tell whether snort is corrupting the binary file by including data from un-related packets or if there is something fishy going on with these particular web pages. Given the mixup of the header info, I suspect that snort is messing up for some reason. 2. The particular page that I've observed this on is a .NET developed aspx file. It doesn't seem to happen every time this page is loaded. However, since snort is only logging packets that generate alerts, it might be happening more than is logged. Any suggestions as to how to troubleshoot this? ------------------------------------------------------- This SF.Net email sponsored by: Parasoft Error proof Web apps, automate testing & more. Download & eval WebKing and get a free book. www.parasoft.com/bulletproofapps _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Snort swapping src and dst in binary log? David Gordon (Jul 09)
- Re: Snort swapping src and dst in binary log? Tony Lill (Jul 10)
- Re: Re: Snort swapping src and dst in binary log? Erek Adams (Jul 10)
- RE: Re: Snort swapping src and dst in binary log? LucAdmin (Jul 10)
- RE: Re: Snort swapping src and dst in binary log? Erek Adams (Jul 10)
- Re: Re: Snort swapping src and dst in binary log? Erek Adams (Jul 10)
- Re: Snort swapping src and dst in binary log? Tony Lill (Jul 10)
- <Possible follow-ups>
- RE: Snort swapping src and dst in binary log? David Gordon (Jul 10)
- RE: Snort swapping src and dst in binary log? Erek Adams (Jul 10)
- Re: Snort swapping src and dst in binary log? Chris Green (Jul 14)
- RE: Snort swapping src and dst in binary log? Erek Adams (Jul 10)