[Snort-devel] Stream4 woes ??

Chris Green cmg at ...402...
Tue Mar 11 05:19:26 EST 2003


Russell Fulton <r.fulton at ...1343...> writes:

> Hi All,
> 	I posted a note about this a week or so back by did not get any 
> response so here it goes again.

Last week was a wash. I have been trying to queue up issues as I can
look at them.

> Since I upgraded to 1.9.1 I have been getting alerts from various overflow
> rules but the contents of the logged packets don't seem to make any sense,
> they seem to contain random bits from other protocols (mainly http, surprise) 

If you can, please try out CVS 2.0 HEAD to see if the problem exists
there as well. 

How often are you getting these alerts?

Here's pretty much the standard way someone can send me a pcap.

If very often, please run a parallel tcpdump to log your network
traffic, and save it off.

Then, run snort in readback mode (-r) and see if you can create a
capture file to reproduce the bug.

If you can, try either whittling the capture file down to the sessions
involved.

Try using -n <count> in readback mode to see how small of a packet
count it takes to reproduce the bug.  After that, you'll hopefully
have a file small enough to load into ethereal.  If you can whittle it
down some more, great. If not, I can still use the file if you will
let me.  So that only I can see it, please create a fulton.tgz and
encrypt it with my public key

gpg key id 0896278A 2002-04-23 Chris Green (Work) <cmg at ...402...>
Finger print C83A EFCA D203 71BC A7F5  F0A0 713B 9C92 0896 278A

Then, either place it somewhere on your network or I can give you a
location to upload your files.  If the bug can't be reproduced with
the default snort.conf, i'll need that as well.

> I am wondering if there is a new bug in stream4?

Maybe.
-- 
Chris Green <cmg at ...402...>
Eschew obfuscation.





More information about the Snort-devel mailing list