[Snort-users] packet overlap triggering alerts?
kevin.peuhkurinen at ...7732...
Wed Dec 11 11:46:05 EST 2002
I hope somebody can help me with this as I am nearing my wits end. I'm
having a problem with anomalous "P2P GNUTELLA GET" alerts which appear
to be caused by some kind of packet overlap or something.
I had been having these problems with Snort 1.8.7, so upgraded to 1.9.0
and am still encountering them. The sensor reporting them is running
Mandrake 8.1 with the latest stable release of libpcap.
According to this sensor, the packets in question are originating from
my SMTP server, with the destination being other SMTP servers on port
25. When I look at the packet in ACID, sure enough there is what
appears to be HTTP GET requests. This was enough to make me curious.
What I eventually decided to do was use a different machine to capture
all of the traffic on port 25 to try to figure out what was going on.
The thing is, the packets that are being logged by the sensor do not
match the packets that are being captured by the other machine.
Here is an example:
From the sensor:
Src: My SMTP Server Dest: Remote SMTP Server
Src Port: 4479, Dest Port: 25
IP Header Checksum: 0 (Incorrect, should be 0xc88f)
TCP Header Checksum : 0 (Incorrect, should be 0x5b62)
TCP Flags: ACK/PSH
TCP Seq: 509426611
TCP Ack: 2900267714
The data contains an HTTP GET request followed by a bunch of garbage.
When I look at the captured packets from the other machine, there is no
such packet. The stream itself is an outgoing email with a fairly long
attachment. There is one packet with matching Seq & Ack #'s, but it is
actually just an ACK from the remote SMTP server back to my server.
Certainly nowhere in any of the packets is anything that looks remotely
like the HTTP GET which Snort is reporting on. However, I do know that
at the same time, a user was making that HTTP connection since I can see
traffic to the host in my firewall logs.
Therefore, I have to conclude that somehow snort is getting its traffic
mixed up. This is the only alert I have seen that looks like it is
happening to. All other alerts appear to be genuine.
More information about the Snort-users