[Snort-devel] Stream4 woes ??

Jon warchild at ...1775...
Thu Mar 13 19:22:10 EST 2003


On Tue, Mar 11, 2003 at 04:20:54PM +1300, Russell Fulton wrote:
> Hi All,
> 	I posted a note about this a week or so back by did not get any 
> response so here it goes again.
> 
> Since I upgraded to 1.9.1 I have been getting alerts from various overflow
> rules but the contents of the logged packets don't seem to make any sense,
> they seem to contain random bits from other protocols (mainly http, surprise) 
> 
> I am wondering if there is a new bug in stream4?

I can confirm similar results here. 

For example, with SID 1634, usually every day I get one or two alerts that
seem to have http stuff inside them.  I saw a few people mention dropping
packets.  Here's some stats for my sensor that tripped SID 1634 but had
http garbage inside it:

Snort analyzed 36177506 out of 36177882 packets
dropping 376(0.001%) packets  

So, its dropped 376 packets since 12:01am today.  What are the chances that
the dropped packets are the cause of this garbled POP/http session?

I've seen and reported other equally weird detects, especially with sids
1377 and 1378 which checks for the likes of ~{ and ~[ in ftp connections.
I don't have pcaps, but I can tell you what situations trigger this rule:

Students storing / retrieving java save files.  

These are of the form <name>.java~ and not suprisingly contain lots of {'s
and ['s.  As a test, I created a file named test-curly.java~ which
contained just a {.  Retrieving this file triggered this rule once, but
does not trigger it on subsequent transfers.  Odd. 

I don't really see any immediate connection between these two events.  1634
is content + within related, whereas 1377 and 1378 are content + distance
related.  However, both port 21 and 110 are reassembled by stream4...

To help get to the bottom of this, I'll start up two tcpdump sessions.  One
for 21 and one for 110, and I'll try and widdle things down to a few
packets that will trigger the rule.  I'm not sure how long it'll take
though, 'cause the quarter ends tomorrow and school goes into hibernation
for over a week.

-jon




More information about the Snort-devel mailing list