[Snort-devel] Merged packets - bug

Martin Olsson elof at ...969...
Fri Apr 25 07:10:17 EDT 2003


I've found a critical bug, but I'm not sure if it is in snort, libpcap,
in my hardware or somewhere else.

Bug description:
When snort log an alert, the logged packet is sometimes corrupt. It is a
merge of the offending packet and some other data. The first part of the
packet is the real offending packet, but at the end I see the payload from
some completely other packet. The logged packet ofcourse has a bad tcp
checksum.


Have anyone else experienced the same thing?


I have twelve IBM-servers with two built-in Broadcom Gigabit ethernet
interfaces. All twelve servers run snort 1.9.1 on FreeBSD 4.7 and all
twelve of them have logged one or more packets with merged payload.

I think the bug is in snort since I think I would experience all kinds of
other errors if the bug was located in the IBM-hardware, the
Broadcom-interface, the FreeBSD-broadcom (bge) driver or in libpcap.

All my snorts are configured to log to file and mysql. Both destinations
get a copy of this corrupt packet.

/Martin





More information about the Snort-devel mailing list