[Snort-devel] continuing problems with RC2 and tagged packets

Dirk Geschke Dirk_Geschke at ...802...
Fri Jan 14 01:01:20 EST 2005

Hi Russel,

> I am seeing lots (~1700 in 24 hours) of tagged packets since I installed
> RC2.  Almost all of these packets are linked to sessions which
> supposedly triggered BS rule "BLEEDING-EDGE Malware Fun Web Products
> Agent Traffic" sid: 2001034
> It has been suggested (sorry I've forgotten by who, lost the email and
> can't be bothered scouring the archive) that these are the result of
> stream reassembling but none of the packets tagged *or* the alert packet
> meet the trigger criteria for the rule.

I think I wrote the email. The alert triggers on the rebuild packet.
You have to take the first alert packet and all tagged packets of this
stream. Then rebuild one packet out of all these packets and then take
a look if you find the matching content.

If not, then it may still be a problem with stream4.

I don't understand why there is no option where you can choose
between the two procedures, to store the whole rebuilt packet 
or the single packets.

If you can afford to play around with snort then edit the 
output-plugin to disable this new behaviour and see if the
rules are still alerting. Then you should see the content
since the rebuild packets are stored in the log file.

The relevant part is in src/output-plugins/spo_unified.c, search
for UnifiedLogPacketAlert (line 453) and comment out the PKT_REBUILD
part of the if-then-else construct so that finally only

 RealUnifiedLogPacketAlert(p, msg, arg, event, &dHdr);

remains. I think then the full rebuild packet is stored instead
of the tagged ones.

(If you see how simply it is to change the behaviour then you can
guess why I am asking for adding an option to choose it. But maybe
this is related to future versions of barnyard to ensure that there
is no pcap data in the log file which is greater than the MTU...)

Best regards

| Dr. Dirk Geschke            | E-mail: geschke at ...802...      |
| Gesellschaft fuer Netzwerk  | Tel.  : +49-(0)-89-991950-131 |
| und Unix Administration mbH | Fax   : +49-(0)-89-991950-999 |
| 85551 Kirchheim / Germany   | Domagkstrasse 7               |

More information about the Snort-devel mailing list