[Snort-devel] Snort 2.0 build13 problem
cmg at ...835...
Tue Oct 29 06:24:08 EST 2002
"Lawrence Reed" <Lawrence.Reed at ...1489...> writes:
> Thanks Chris,
> I will try that next, however I think I might have something else going
> wrong. I ran a test with httpflow shutoff and found similiar results.
> ~ The following packet was detected by the same rule ( listed below).
> ~ This packet seems to contain a mix of to_server and to_client data. In
> fact the first 145 bytes appear to be a server response going TO port 80
> instead of from port 80. What can I do to trace this problem?
Hrm. That is odd. The first thing to do is run a parallel tcpdump
capturing traffic and try to reproduce the original bug.
ex: tcpdump -i eth0 -w bug-large.cap -s 65335
Run snort over the bug-large.cap to verify that the bug is reproduced
in the capture.
ex: snort -c /etc/snort.conf -A fast -b -l /tmp
Then, when there's a large number of sessions available, filter the
capture down to 1 or 2 sessions that are releated to the corrupted
stream using bpf syntax for tcpdump.
Once it's gotten down to a smallish test case, mail it off to me and
I'll see what the issue is.
If you get the first 2 stages done, I'm more than willing to help
whittle the cases.
Can you see that the version of spp_stream4 that you are using is
1.125 updated last on the 2002/10/18?
Chris Green <cmg at ...402...>
To err is human, to moo bovine.
More information about the Snort-devel