Snort mailing list archives

Session mixup by stream4

From: Sonali Gupta <sonali.gupta () gmail com>
Date: Tue, 8 Feb 2005 15:00:56 +0530

Hi 

I came across this post in the neohapsis archives, which discusses an
issue similar to what I seem to be facing.

It is at: 

http://archives.neohapsis.com/archives/snort/2003-01/0858.html 

http://archives.neohapsis.com/archives/snort/2003-01/0872.html 

The discussion talks about a session payload mixup in data captured by
snort. I am also facing this issue in some sessions that I get from
snort. I am using snort 2.0 and snort 2.3 ORC2, and found the issue in
both versions. Chris mentioned in the post that the issue has been
fixed in HEAD CVS. The discussion was about version 1.9.0. Since I am
using a newer version of snort, could you please tell me if the same
fix has been applied to the newer versions, or is there some update I
need to get to fix it.

In order to figure out the session mix up issue, I did the following

a)       Ran two snorts simultaneously Snort-A and Snort-B. The
Snort-A captures the traffic and dumps it in a tcpdump format, using
the –b option and Snort-B creates the sessions real time.

b)       Then I ran Snort-C (same executable as of Snort-B), which
created session from the tcpdump produced by Snort-A. I found that the
sessions created by Snort-C for the problematic ones were not
identical to the sessions created by Snort-B and I also noticed that
the sessions created by Snort-C has lesser number of session mixups.

 

I also noted that some sessions created by Snort-B, which appeared
incomplete (data from last one or two packets were missing) were fully
formed when created by Snort-C.

 

Is there any difference between the session reassemble real time and
session reassemble using –r option.

 

During the test, we had tweaked Snort-B a bit so that it dumps all the
sessions that are reassembled. We did this by hard coding gotevent = 1
and commenting the call to the preprocessor function in FlushStream
function of ssp_stream4.c.

 

//        gotevent = Preprocess(stream_pkt);  //Commented

          gotevent = 1;        

 

Regards 

Sonali Gupta


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Session mixup by stream4 gupta_sonali (Feb 07)
- <Possible follow-ups>
- Session mixup by stream4 Sonali Gupta (Feb 08)
  - Re: Session mixup by stream4 Matt Kettler (Feb 08)
    - Re: Session mixup by stream4 Sonali Gupta (Feb 08)
    - SNORT file data.MYD too large corrado . riva (Feb 09)
    - Re: SNORT file data.MYD too large Edin Dizdarevic (Feb 09)