[Snort-devel] Session mixup by stream4

Andrew Rucker Jones arjones at ...2237...
Fri Feb 11 05:32:12 EST 2005

Hash: SHA1

The checksum thing isn't really the issue. The stream4 plugin really is
mixing up packets. It does it a whole lot. I can't tell You how many
times a day i see it at work. I have come to hate stream4. But i won't
vent here, since i really should be thanking the developers for writing
Snort at all. I have, however, reported one issue with stream4 and mixed
up packets to the developers that they would not fix. Their reasoning
was that they wanted to think through the implications and provide a
complete solution to the problem instead of the patch i gave them. (The
issue is with TCP window scaling.) Fair enough, but it doesn't seem to
have happened yet.


Jay Beale wrote:
| Alex Butcher, ISC/ISYS wrote:
|> Hi -
|> --On 08 February 2005 16:32 +0530 Sonali Gupta
|> <sonali.gupta at ...2499...> wrote:
|>> I have posted this query in the snort users mailing list also.
|>> I came across this post in the neohapsis archives, which discusses an
|>> issue similar to what I seem to be facing.
|>> It is at:
|>> http://archives.neohapsis.com/archives/snort/2003-01/0858.html
|>> http://archives.neohapsis.com/archives/snort/2003-01/0872.html
|>> The discussion talks about a session payload mixup in data captured by
|>> snort. I am also facing this issue in some sessions that I get from
|>> snort. I am using snort 2.0 and snort 2.3 ORC2, and found the issue in
|>> both versions.
|> I sometimes find alerts in my database that appear to be from mixed-up
|> packets. The giveaway is that both the IP and TCP checksums are
|> incorrect (ethereal reports that they are both 0x0000).
|> I'm using Snort 2.3.0 release + FLoP.
|> I'd send captures, but I've not found any pattern in what makes it
|> happen. :-/
| Before you get into a bug report, couldn't this just be flushed
| uber-packets from stream4? When stream4's BuildPacket() creates an uber
| packet out of a complete or partial stream, it doesn't compute IP or xDP
| checksums, since these would be meaningless.
|  - Jay
| -------------------------------------------------------
| SF email is sponsored by - The IT Product Guide
| Read honest & candid reviews on hundreds of IT Products from real users.
| Discover which products truly live up to the hype. Start reading now.
| http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
| _______________________________________________
| Snort-devel mailing list
| Snort-devel at lists.sourceforge.net
| https://lists.sourceforge.net/lists/listinfo/snort-devel

- --
GPG key / Schlüssel -- http://simultan.dyndns.org/~arjones/gpgkey.txt
Encrypt everything. / Alles verschlüsseln.

Version: GnuPG v1.2.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the Snort-devel mailing list