[Snort-devel] Merged packets - bug
elof at ...969...
Fri Apr 25 07:10:17 EDT 2003
I've found a critical bug, but I'm not sure if it is in snort, libpcap,
in my hardware or somewhere else.
When snort log an alert, the logged packet is sometimes corrupt. It is a
merge of the offending packet and some other data. The first part of the
packet is the real offending packet, but at the end I see the payload from
some completely other packet. The logged packet ofcourse has a bad tcp
Have anyone else experienced the same thing?
I have twelve IBM-servers with two built-in Broadcom Gigabit ethernet
interfaces. All twelve servers run snort 1.9.1 on FreeBSD 4.7 and all
twelve of them have logged one or more packets with merged payload.
I think the bug is in snort since I think I would experience all kinds of
other errors if the bug was located in the IBM-hardware, the
Broadcom-interface, the FreeBSD-broadcom (bge) driver or in libpcap.
All my snorts are configured to log to file and mysql. Both destinations
get a copy of this corrupt packet.
More information about the Snort-devel