[Snort-devel] odd problems with 2.3rc2
roesch at ...402...
Sun Jan 23 18:36:15 EST 2005
I can't answer why the rule is firing without looking into it a lot
more but I can tell you what's happening with the tagged packets. If
Snort is using unified logging, instead of logging the pseudopacket
generated by stream4 it will instead log the original packets that
constituted the stream that was used to generate the pseudopacket in
the first place. This is so that you can see what was on the wire
originally instead of getting the pseudopacket which tends to mess up
analysts who want to know what the original TTL/TOS/etc were. The
unified header contains reference info that will let you see which
trigger packet (the first in the segment queue) the tagged packets are
Hope this clears things up.
BTW, the reference field isn't all that great, because it is just a
counter of the number of events since startup. I floated the idea of
having a "packet serial number" structure that could be used to
uniquely identify a sensor, instance and event id that would be
attached to each unified event and associated tagged packets.
On Jan 10, 2005, at 4:13 PM, Russell Fulton wrote:
> On Mon, 2005-01-10 at 17:19 +0100, Dirk Geschke wrote:
>>> I've just installed RC2 and I have observed a couple of problems:
>>> 1. a few rules are triggering when there does not appear to be
>>> reason. One rule is triggering often, for no apparent
>> maybe you are using the unified output plugin?
> I am.
>> In this case it
>> is possible that the rules fires on a stream4 rebuild packet.
>> This packet is stored in the original parts and only the first
>> one gets the signature message. All further packets are "Tagged
>> Packet"s and are stored in the log facility.
> That explains part of the problem (the tagged packets) but not why the
> rules are triggering in the first place.
> Thanks, Russell
> The SF.Net email is sponsored by: Beat the post-holiday blues
> Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
> It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
Martin Roesch - Founder/CTO, Sourcefire Inc. - +1-410-290-1616
Sourcefire - Discover. Determine. Defend.
roesch at ...402... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
More information about the Snort-devel