Snort mailing list archives
Re: Garbage in snort logs
From: Phil Wood <cpw () lanl gov>
Date: Wed, 9 Jan 2002 10:17:03 -0700
Excellent! On Wed, Jan 09, 2002 at 02:04:38PM +1300, russell wrote:
I have made some progress in working out what is going on. I now have two snort sensors working in parallel so I can twiddle the config file of one and see how the logs compare to the 'standard' config. I have now established that commenting out the 'preprocessor stream4_reassemble' has the affect of not logging the packets with MAC address 0. I.e. I don't get alerts at all for these events when the reassembling is not enabled. This suggests that the problems are occurring in the reassembling code. I tracked one alert that was logged by the snort instance doing reassembling and not logged by the other. I veirfied from our argus logs that there was a session at this time with the logged port numbers but we failed to find anything in the web server logs that matched the logged content of the packet (an attempt to execute command.exe by escaping from _vti_bin). This suggests to me that there is packet corruption taking place in the packet reassembling *before* the pattern matching takes place and that packets from different tcp streams are being mixed. From the look of the data in the logged packets I would guess that some length are not being correctly set so the data from some previous packet gets appended. -- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
-- Phil Wood, cpw () lanl gov _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Re: preprocessor, (continued)
- Re: preprocessor Martin Roesch (Jan 08)
- Re: Garbage in snort logs russell (Jan 07)
- Re: Garbage in snort logs Phil Wood (Jan 08)
- Re: Garbage in snort logs russell (Jan 08)
- Re: Garbage in snort logs Martin Roesch (Jan 08)
- Re: Garbage in snort logs Martin Roesch (Jan 08)
- Re: Garbage in snort logs Andreas Östling (Jan 10)
- "Connnection closed"? (spelled wrong!) Edwin Eefting (Jan 10)
- Re: "Connnection closed"? (spelled wrong!) John Sage (Jan 13)
- Re: Garbage in snort logs Phil Wood (Jan 09)
- Getting an error using -r Ken Pickering (Jan 09)
- Re: Getting an error using -r Ken Pickering (Jan 09)
- CVS version not finding pcap includes Bob Van Cleef (Jan 09)
- Re: Garbage in snort logs Frank (Jan 10)
- Re: Re: Garbage in snort logs Martin Roesch (Jan 10)
- Re: Re: Garbage in snort logs Martin Roesch (Jan 10)