[Snort-users] Packet weirdness

Chris Green cmg at ...671...
Thu Feb 7 07:07:30 EST 2002


tyler at ...4440... writes:

> Gang,
>
> Here's my scenario..  I have a box that is setup running apache and snort
> with demarc.  Works great.  I've also turned on Proxying in apache and put a
> pass rule in for traffic from that box [so we can allow certain users access
> to AIM through the proxy, but alert on unauth users].  This setup should
> work fine I would think. Every now and then tho, I start getting a lot of
> alarms for AIM, so I look at the packets and such.  
>
> It's like the aim packets going in to the proxy server are somehow
> overwriting the packet that snort is currently examining in memory and
> causing snort to think it's an AIM packet so it then sends an alert.  I say
> this as when I look at the packet details for the alarm, it's from a
> different machine than the one that sent the aim message, to a machine on
> the internet that is NOT aol, and the payload STARTS with part of an AIM
> packet, but then changes to that of an email message, web request, or some
> other non-AIM traffic.
>
> Unfortunately I don't have a copy of an example packet, as this is only
> intermittent and doesn't happen all the time, but does anyone have any
> insight into this?  I'm using snort 1.8.3 on Redhat 7.2...

Try updating to
http://www.snort.org/downloads/snort-stable-snapshot.tar.gz  There
have been a few weirdnesses fixed lately.  Soon ,we should doing a
beta2 of 1.8.4

If it continues to happen, please do start saving tcpdump formatted
logs.

>
> tf.
>
>
> **********************************************************************
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager at postmaster at ...4441...
> **********************************************************************

For what it's worth, I hate these. Doubt you have control over them :-)
-- 
Chris Green <cmg at ...671...>
You now have 14 minutes to reach minimum safe distance.




More information about the Snort-users mailing list