[Snort-users] packet overlap triggering alerts?

Kevin Peuhkurinen kevin.peuhkurinen at ...7732...
Wed Dec 11 11:46:05 EST 2002

I hope somebody can help me with this as I am nearing my wits end.   I'm 
having a problem with anomalous "P2P GNUTELLA GET" alerts which appear 
to be caused by some kind of packet overlap or something.

I had been having these problems with Snort 1.8.7, so upgraded to 1.9.0 
and am still encountering them.    The sensor reporting them is running 
Mandrake 8.1 with the latest stable release of libpcap.

According to this sensor, the packets in question are originating from 
my SMTP server, with the destination being other SMTP servers on port 
25.    When I look at the packet in ACID, sure enough there is what 
appears to be HTTP GET requests.   This was enough to make me curious. 
What I eventually decided to do was use a different machine to capture 
all of the traffic on port 25 to try to figure out what was going on.

The thing is, the packets that are being logged by the sensor do not 
match the packets that are being captured by the other machine.

Here is an example:

 From the sensor:

Src:  My SMTP Server    Dest: Remote SMTP Server
Src Port: 4479, Dest Port: 25
IP Header Checksum:  0  (Incorrect, should be 0xc88f)
TCP Header Checksum : 0  (Incorrect, should be 0x5b62)
TCP Seq:  509426611
TCP Ack: 2900267714
The data contains an HTTP GET request followed by a bunch of garbage.

When I look at the captured packets from the other machine, there is no 
such packet.   The stream itself is an outgoing email with a fairly long 
attachment.   There is one packet with matching Seq & Ack #'s, but it is 
actually just an ACK from the remote SMTP server back to my server. 
Certainly nowhere in any of the packets is anything that looks remotely 
like the HTTP GET which Snort is reporting on. However, I do know that 
at the same time, a user was making that HTTP connection since I can see 
traffic to the host in my firewall logs.

Therefore, I have to conclude that somehow snort is getting its traffic 
mixed up.    This is the only alert I have seen that looks like it is 
happening to.   All other alerts appear to be genuine.

Any thoughts?


More information about the Snort-users mailing list