[Snort-users] Packet weirdness

tyler at ...4440... tyler at ...4440...
Thu Feb 7 06:37:19 EST 2002


Here's my scenario..  I have a box that is setup running apache and snort
with demarc.  Works great.  I've also turned on Proxying in apache and put a
pass rule in for traffic from that box [so we can allow certain users access
to AIM through the proxy, but alert on unauth users].  This setup should
work fine I would think. Every now and then tho, I start getting a lot of
alarms for AIM, so I look at the packets and such.  

It's like the aim packets going in to the proxy server are somehow
overwriting the packet that snort is currently examining in memory and
causing snort to think it's an AIM packet so it then sends an alert.  I say
this as when I look at the packet details for the alarm, it's from a
different machine than the one that sent the aim message, to a machine on
the internet that is NOT aol, and the payload STARTS with part of an AIM
packet, but then changes to that of an email message, web request, or some
other non-AIM traffic.

Unfortunately I don't have a copy of an example packet, as this is only
intermittent and doesn't happen all the time, but does anyone have any
insight into this?  I'm using snort 1.8.3 on Redhat 7.2...


This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager at postmaster at ...4441...

More information about the Snort-users mailing list