[Snort-users] Packet weirdness

tyler at ...4440... tyler at ...4440...
Thu Feb 7 07:12:26 EST 2002


Now I can just download/compile/install over old binaries and my demarc
system will still work and all, yes?

tf.

-----Original Message-----
From: Chris Green [mailto:cmg at ...671...]
Sent: Thursday, February 07, 2002 10:06 AM
To: tyler at ...4440...
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] Packet weirdness


tyler at ...4440... writes:

> Gang,
>
> Here's my scenario..  I have a box that is setup running apache and snort
> with demarc.  Works great.  I've also turned on Proxying in apache and put
a
> pass rule in for traffic from that box [so we can allow certain users
access
> to AIM through the proxy, but alert on unauth users].  This setup should
> work fine I would think. Every now and then tho, I start getting a lot of
> alarms for AIM, so I look at the packets and such.  
>
> It's like the aim packets going in to the proxy server are somehow
> overwriting the packet that snort is currently examining in memory and
> causing snort to think it's an AIM packet so it then sends an alert.  I
say
> this as when I look at the packet details for the alarm, it's from a
> different machine than the one that sent the aim message, to a machine on
> the internet that is NOT aol, and the payload STARTS with part of an AIM
> packet, but then changes to that of an email message, web request, or some
> other non-AIM traffic.
>
> Unfortunately I don't have a copy of an example packet, as this is only
> intermittent and doesn't happen all the time, but does anyone have any
> insight into this?  I'm using snort 1.8.3 on Redhat 7.2...

Try updating to
http://www.snort.org/downloads/snort-stable-snapshot.tar.gz  There
have been a few weirdnesses fixed lately.  Soon ,we should doing a
beta2 of 1.8.4

If it continues to happen, please do start saving tcpdump formatted
logs.

>
> tf.
>
>
> **********************************************************************
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual or entity to whom they
> are addressed. If you have received this email in error please notify
> the system manager at postmaster at ...4441...
> **********************************************************************

For what it's worth, I hate these. Doubt you have control over them :-)
-- 
Chris Green <cmg at ...671...>
You now have 14 minutes to reach minimum safe distance.




More information about the Snort-users mailing list