[Snort-devel] 2 possible bugs in Snort 1.9.0

JP Vossen JP at ...1659...
Mon Nov 4 05:58:06 EST 2002


PLEASE copy my e-mail address (jp at ...1659...) on any replies, as I am not a member of this list.  Thank you.

In researching an issue to find out why Counterpane is having trouble correctly filtering and parsing Snort messages when Snort is running under Windows, I found the following 2 possible bugs.  Searching the archives of this list and the "Snort Users" list did not return any relevant hits.  This list had some discussion about IDSCenter and spaces in the directory name, but that was all I found.

The first issue is easy.  And I lied, it IS in the list at http://marc.theaimsgroup.com/?l=snort-devel&m=103444790802140&w=2...  It's the "-s now requires an argument under UNIX, even though it shouldn't" thing.  So I noticed it too.



The second issue also seems simple enough.  Snort using -s and running on Windows seems to insert 3 spaces between the facility/priority code and the program name.  See the sniffer captures (snort -qvde, with NetCat to trigger it) below.  Is that a feature or a bug?  It is currently causing Counterpane's filters not to work for Snort on Windows, as we don't expect white space there.  I have confirmed this behavior on Windows 2000 using Snort 1.8.7 and 1.9.0.

192.168.99.100:514 -> 192.168.99.5:514 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:185 DF
Len: 165
3C 33 38 3E 73 6E 6F 72 74 5B 38 35 32 34 5D 3A  <38>snort[8524]:
20 5B 31 3A 32 37 31 3A 33 5D 20 44 4F 53 20 55   [1:271:3] DOS U
44 50 20 65 63 68 6F 2B 63 68 61 72 67 65 6E 20  DP echo+chargen
62 6F 6D 62 20 5B 43 6C 61 73 73 69 66 69 63 61  bomb [Classifica
74 69 6F 6E 3A 20 41 74 74 65 6D 70 74 65 64 20  tion: Attempted
44 65 6E 69 61 6C 20 6F 66 20 53 65 72 76 69 63  Denial of Servic
65 5D 20 5B 50 72 69 6F 72 69 74 79 3A 20 32 5D  e] [Priority: 2]
3A 20 7B 55 44 50 7D 20 31 39 32 2E 31 36 38 2E  : {UDP} 192.168.
39 39 2E 31 32 3A 37 20 2D 3E 20 31 39 32 2E 31  99.12:7 -> 192.1
36 38 2E 39 39 2E 31 30 30 3A 31 39 0A           68.99.100:19.


192.168.99.199:2130 -> 192.168.99.5:514 UDP TTL:128 TOS:0x0 ID:27690 IpLen:20 DgmLen:187
Len: 167
3C 33 38 3E 20 20 20 73 6E 6F 72 74 5B 31 33 30  <38>   snort[130
30 5D 3A 20 5B 31 3A 32 37 31 3A 33 5D 20 44 4F  0]: [1:271:3] DO
53 20 55 44 50 20 65 63 68 6F 2B 63 68 61 72 67  S UDP echo+charg
65 6E 20 62 6F 6D 62 20 5B 43 6C 61 73 73 69 66  en bomb [Classif
69 63 61 74 69 6F 6E 3A 20 41 74 74 65 6D 70 74  ication: Attempt
65 64 20 44 65 6E 69 61 6C 20 6F 66 20 53 65 72  ed Denial of Ser
76 69 63 65 5D 20 5B 50 72 69 6F 72 69 74 79 3A  vice] [Priority:
20 32 5D 3A 20 7B 55 44 50 7D 20 31 39 32 2E 31   2]: {UDP} 192.1
36 38 2E 39 39 2E 31 32 3A 37 20 2D 3E 20 31 39  68.99.12:7 -> 19
32 2E 31 36 38 2E 39 39 2E 31 39 39 3A 31 39     2.168.99.199:19


Can anyone confirm these as bugs, and let me know when they might be addressed if so?

Thanks for your time, and for the coolest IDS out there IMHO!
JP
__________________________________________
JP Vossen, CISSP
Counterpane Internet Security: Integration Manager
jp at ...1659...
PGP: 4A66 F380 061B ED7E 2D5B  68B0 48C7 9B0E C1ED E7FA
Work: 610-409-2765  Cell: 610-812-0930    (TZ: -0500 [EST5EDT])




More information about the Snort-devel mailing list