[Snort-devel] possible bug with tagged packets and stream4

Russell Fulton r.fulton at ...1343...
Thu Feb 3 13:01:48 EST 2005


Hi Folks,
	I have posted on this topic before and have had useful feedback and now
think I understand how the system is supposed to work.  

I am currently running RC2 with unified output.

What I have been seeing is alerts with one or more tagged packets but
nothing in any of the logged packets matches the rule trigger.  Today I
had a really good example:

SID     CID     Timestamp               Signature               IP Src          IP Dst          Proto   Length
1       137386  2005-02-03 14:48:38     FTP format string attempt       130.216.120.93  204.152.189.116 6       68      
1       137387  2005-02-03 14:48:38     tag: Tagged Packet              130.216.120.93  204.152.189.116 6       78      
1       137388  2005-02-03 14:48:39     tag: Tagged Packet              130.216.120.93  204.152.189.116 6       58      
1       137389  2005-02-03 14:48:39     tag: Tagged Packet              130.216.120.93  204.152.189.116 6       57      
1       137390  2005-02-03 14:48:40     tag: Tagged Packet              130.216.120.93  204.152.189.116 6       60      
1       137391  2005-02-03 14:48:40     tag: Tagged Packet              130.216.120.93  204.152.189.116 6       58      

packet contents:

USER anonymous..
PASS mozilla at ...2716...
SYST..
PWD..
TYPE I..
PASV..

Not a hint of a "%" anywhere.

What I suspect is happening is that the last packet in the stream (the
one that caused the alert is getting lost). This could be in snort or in
barnyard.  Once I dropped to what was happening I looked at other
examples and this appears to be a consistent pattern where the next
packet in the stream could plausibly contain the data the would trigger
the alert.

Unfortunately these seem to occur pretty well at random so I can't
capture a stream for analysis.

I guess the crucial question is "Is anyone else seeing this?".  I am
seeing it on 4 different sensors (all running OBSD 3.6 on intel
hardware).

Cheers, Russell

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 2201 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20050203/26b3bf80/attachment.bin>


More information about the Snort-devel mailing list