Snort mailing list archives
stream4_reassemble and logs
From: sekure <sekure () gmail com>
Date: Thu, 8 Jul 2004 12:26:01 -0400
Greetings. I just upgraded to Snort 2.2.0RC1 on Solaris 8 and noticed a curious "feature". I have stream4 and stream4_reassemble preprocessors enabled and log things in tcpdump format as well as to a unified log facility for insertion into MySQL. In previous versions of Snort, stream4_reassemble used to mangle packets pretty badly, and output packets to pcap and the unified log that would not be recognized as IP packets because headers were all messed up. Best I could tell, snort would insert extra data at the beginning of the packet and everythign would shift "right", pushing some the last 6 or so bytes of the destination ether address into the beginning of IP header. As a result barnyard wouldn't process them and they would never make it into my database. I have plenty of examples, but for some reason i only noticed this happening with FTP traffic. Anyways, I upgraded to 2.2.0RC1 and suddenly started noticing certain FTP alerts in my database that I never saw before. When i went to investigate, the pcap file on the sensor would still be mangled beyond recognition (same as before), BUT the unified log would be accurate, and if I ran it through barnyard and told it to recreate a pcap file, i would have 4 (or however many were in the stream) correct, individual packets, which get logged into the database. So, EITHER, the unified output is messed up and not writing the packets as a single reassembled packet when it should (which by the way I like because i can finally see just what the heck i was missing). OR, the stream4 reassembly issue got fixed, but somehow the pcap log function still isn't working correctly. Either way, I am a little confused. Definitely better off than i was before, but still wishing for improvement. :) Just wanted to dev team to be aware. Contact me if you want pcap samples of any of this. ------------------------------------------------------- This SF.Net email sponsored by Black Hat Briefings & Training. Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- stream4_reassemble and logs sekure (Jul 08)