Snort mailing list archives

Re: snort 1.8.3 splicing packets

From: Martin Roesch <roesch () sourcefire com>
Date: Thu, 10 Jan 2002 13:27:49 -0500

Scott Nursten wrote:


Greetings all,

Anyone had strange behaviour out of Snort 1.8.3? I've had two really
strange incidents being:

1. Snort seems to be splicing packets - i.e. If I nmap a machine and
surf the web at the same time, I get ICMP/HTTP spliced packets in my
MySQL DB. At first it looked really scary, like ICMP tunnelling or
something to that effect, but when I realised that I controlled what
went into the ICMP packet, I dropped a Trinux box on the network and
dumped the packets alongside snort. The result was astounding - no HTTP
data in my ICMP packets  after all :)


This is being worked on, we use a common scratch buffer for reassembled
tcp streams and old data is being left in the buffer for some reason. 
This is being actively worked on.

2. A friend of mine has just installed 1.8.3 and seems to be having some
difficulty reading some of the tcpdump format log files with tcpdump ||
snort. It seems that it has some difficulties with the pcap.

tcpdump: pcap_loop: bogus savefile header

This is very strange to me as both the tcpdump and the snort were
compiled with a fresh 0.6.2 pcap from tcpdump.org. What's even stranger
is he can read SOME of the files that snort writes, but not others!!!


Is one of the systems a RedHat linux box (and why are you reporting bugs
without following the BUGS file...)?  If so, that's probably your
problem, RedHat in their infinite wisdom decided to change the pcap
headers for their distro, breaking the cross-platform nature of the pcap
format.  Check out pcapedit that comes with Ethereal, it should be able
to fix the problems.


     -Marty


--
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch () sourcefire com - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

snort 1.8.3 splicing packets Scott Nursten (Jan 10)
- Re: snort 1.8.3 splicing packets Ryan Russell (Jan 10)
- Re: snort 1.8.3 splicing packets Martin Roesch (Jan 10)