Snort mailing list archives
Re: snort 1.8.3 splicing packets
From: Martin Roesch <roesch () sourcefire com>
Date: Thu, 10 Jan 2002 13:27:49 -0500
Scott Nursten wrote:
Greetings all, Anyone had strange behaviour out of Snort 1.8.3? I've had two really strange incidents being: 1. Snort seems to be splicing packets - i.e. If I nmap a machine and surf the web at the same time, I get ICMP/HTTP spliced packets in my MySQL DB. At first it looked really scary, like ICMP tunnelling or something to that effect, but when I realised that I controlled what went into the ICMP packet, I dropped a Trinux box on the network and dumped the packets alongside snort. The result was astounding - no HTTP data in my ICMP packets after all :)
This is being worked on, we use a common scratch buffer for reassembled tcp streams and old data is being left in the buffer for some reason. This is being actively worked on.
2. A friend of mine has just installed 1.8.3 and seems to be having some difficulty reading some of the tcpdump format log files with tcpdump || snort. It seems that it has some difficulties with the pcap. tcpdump: pcap_loop: bogus savefile header This is very strange to me as both the tcpdump and the snort were compiled with a fresh 0.6.2 pcap from tcpdump.org. What's even stranger is he can read SOME of the files that snort writes, but not others!!!
Is one of the systems a RedHat linux box (and why are you reporting bugs without following the BUGS file...)? If so, that's probably your problem, RedHat in their infinite wisdom decided to change the pcap headers for their distro, breaking the cross-platform nature of the pcap format. Check out pcapedit that comes with Ethereal, it should be able to fix the problems. -Marty -- Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999 Sourcefire: Professional Snort Sensor and Management Console appliances roesch () sourcefire com - http://www.sourcefire.com Snort: Open Source Network IDS - http://www.snort.org _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- snort 1.8.3 splicing packets Scott Nursten (Jan 10)
- Re: snort 1.8.3 splicing packets Ryan Russell (Jan 10)
- Re: snort 1.8.3 splicing packets Martin Roesch (Jan 10)