[Snort-devel] re: Stream4 woes ??

McClure Gammon gammon.mcclure at ...1145...
Mon Mar 17 05:04:30 EST 2003


On Tue, Mar 11, 2003 at 04:20:54PM +1300, Russell Fulton wrote: 
> Hi All, 
> I posted a note about this a week or so back by did not get any 
> response so here it goes again. 
> 
> Since I upgraded to 1.9.1 I have been getting alerts from various overflow

> rules but the contents of the logged packets don't seem to make any sense,

> they seem to contain random bits from other protocols (mainly http,
surprise) 
> 
> I am wondering if there is a new bug in stream4? 

I've seen similar issues.  Unfortunately, I don't have a pcap prior to
stream4 processing, but I do have the pcap logs after processing.  Looking
at those with tcpdump produces some interesting weirdness, such as IP
protocol field shows TCP, but no TCP header in packet #1.
Second packet at least has TCP header, but length is wrong.  The 1st
triggered no alert, so I have no clue why it's in the pcap.  The second
tripped sid 526:4 - "Bad traffic data in TCP SYN".  I'm _guessing_ that this
isn't rule specific, but is tied to stream4 processing - afraid I'm not
enough of a coder to determine why.

10:41:47.543996 xxx.xxx.38.29.12893 > xxx.xxx.xx.29.8265: FE
1852010349:1852010777(428) win 27756 urg 13109 (DF)
0x0000	 4500 01d0 0831 4000 6f06 fda6 xxxx 261d	E....1 at ...1861...&.
0x0010	 xxxx xx1d 325d 2049 6e63 6f6d 696e 6720	..N.2].Incoming.
0x0020	 4361 6c6c 2c20 3335 xxxx xxxx xxxx xx20	Call,.35xxxxxxx.
0x0030	 5b4d 4249 4420 xxxx 3b20 xxxx xxxx xxxx	[MBID.xx;.xxxxxx
0x0040	 xxxx xxxx xxxx xxxx xxxx xxxx xxxx xxxx	xxxxxxxxxxxxxxxx
0x0050	 252a d645 007e 0060 6665 7265 723a 2068	%*.E.~.`ferer:.h
0x0060	 7474 703a 2f2f 7777 772e xxxx xxxx xxxx	ttp://www.xxxxxx
0x0070	 xxxx xxxx xxxx xxxx 2e63 6f6d 2fxx xxxx	xxxxxxxx.com/xxx
<snip>
0x01c0	 5048 4348 5041 4d43 4c42 424b 0d0a 0d0a	PHCHPAMCLBBK....

10:43:15.173996 xxx.xxx.38.29.1046 > xxx.xxx.xx.29.80: S
31390601:31391018(417) win 8192 <mss 536,nop,nop,sackOK> (DF)
0x0000	 4500 01d1 096c 4000 6f06 fc6a xxxx 261d	E....l at ...1862...&.
0x0010	 xxxx xx1d 0416 0050 01de fb89 0000 0000	..N....P........
0x0020	 7002 2000 ba43 0000 0204 0218 0101 0402	p....C..........
0x0030	 8df0 f9ca 005e 0060 6572 2e67 6966 2048	.....^.`er.gif.H
0x0040	 5454 502f 312e 310d 0a41 6363 6570 743a	TTP/1.1..Accept:
0x0050	 202a 2f2a 0d0a 5265 6665 7265 723a 2068	.*/*..Referer:.h
0x0060	 7474 703a 2f2f 7777 772e xxxx xxxx xxxx	ttp://www.xxxxxx
0x0070	 xxxx xxxx xxxx xxxx 2e63 6f6d 2fxx xxxx	xxxxxxxx.com/xxx
<snip>
0x01c0	 4950 4843 4850 414d 434c 4242 4b0d 0a0d	IPHCHPAMCLBBK...
0x01d0	 0a                                     	.

-Gammon





More information about the Snort-devel mailing list