[Snort-devel] possible bug with tagged packets and stream4

Martin Roesch roesch at ...402...
Wed Feb 9 06:29:35 EST 2005


Hm, that's interesting, we'll check it out here...


On Feb 3, 2005, at 3:59 PM, Russell Fulton wrote:

> Hi Folks,
> 	I have posted on this topic before and have had useful feedback and 
> now
> think I understand how the system is supposed to work.
>
> I am currently running RC2 with unified output.
>
> What I have been seeing is alerts with one or more tagged packets but
> nothing in any of the logged packets matches the rule trigger.  Today I
> had a really good example:
>
> SID     CID     Timestamp               Signature               IP Src 
>          IP Dst          Proto   Length
> 1       137386  2005-02-03 14:48:38     FTP format string attempt      
>  130.216.120.93  204.152.189.116 6       68
> 1       137387  2005-02-03 14:48:38     tag: Tagged Packet             
>  130.216.120.93  204.152.189.116 6       78
> 1       137388  2005-02-03 14:48:39     tag: Tagged Packet             
>  130.216.120.93  204.152.189.116 6       58
> 1       137389  2005-02-03 14:48:39     tag: Tagged Packet             
>  130.216.120.93  204.152.189.116 6       57
> 1       137390  2005-02-03 14:48:40     tag: Tagged Packet             
>  130.216.120.93  204.152.189.116 6       60
> 1       137391  2005-02-03 14:48:40     tag: Tagged Packet             
>  130.216.120.93  204.152.189.116 6       58
>
> packet contents:
>
> USER anonymous..
> PASS mozilla at ...2716...
> SYST..
> PWD..
> TYPE I..
> PASV..
>
> Not a hint of a "%" anywhere.
>
> What I suspect is happening is that the last packet in the stream (the
> one that caused the alert is getting lost). This could be in snort or 
> in
> barnyard.  Once I dropped to what was happening I looked at other
> examples and this appears to be a consistent pattern where the next
> packet in the stream could plausibly contain the data the would trigger
> the alert.
>
> Unfortunately these seem to occur pretty well at random so I can't
> capture a stream for analysis.
>
> I guess the crucial question is "Is anyone else seeing this?".  I am
> seeing it on 4 different sensors (all running OBSD 3.6 on intel
> hardware).
>
> Cheers, Russell
>
>
-- 
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover.  Determine.  Defend.
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org





More information about the Snort-devel mailing list