[Snort-devel] Snort 2.0 build13 problem

Chris Green cmg at ...835...
Tue Oct 29 06:24:08 EST 2002

"Lawrence Reed" <Lawrence.Reed at ...1489...> writes:

> Thanks Chris,
> I will try that next, however I think I might have something else going
> wrong.  I ran a test with httpflow shutoff and found similiar results.
> ~ The following packet was detected by the same rule ( listed below).
> ~ This packet seems to contain a mix of to_server and to_client data.  In
> fact the first 145 bytes appear to be a server response going TO port 80
> instead of from port 80.  What can I do to trace this problem?

Hrm.  That is odd.  The first thing to do is run a parallel tcpdump
capturing traffic and try to reproduce the original bug.

ex: tcpdump -i eth0 -w bug-large.cap -s 65335 

Run snort over the bug-large.cap to verify that the bug is reproduced
in the capture.

ex: snort -c /etc/snort.conf -A fast -b -l /tmp 

Then, when there's a large number of sessions available, filter the
capture down to 1 or 2 sessions that are releated to the corrupted
stream using bpf syntax for tcpdump.

Once it's gotten down to a smallish test case, mail it off to me and
I'll see what the issue is.

If you get the first 2 stages done, I'm more than willing to help
whittle the cases.

Can you see that the version of spp_stream4 that you are using is
1.125 updated last on the 2002/10/18?

Chris Green <cmg at ...402...>
To err is human, to moo bovine.

More information about the Snort-devel mailing list