[Snort-users] Garbage in snort logs

Phil Wood cpw at ...440...
Mon Jan 7 08:33:17 EST 2002


Russell,

Please send me your config file which should have something like this
for preprocessors:

  preprocessor frag2
  preprocessor stream4: detect_scans
  preprocessor stream4_reassemble
  preprocessor http_decode: 80 -unicode -cginull
  preprocessor rpc_decode: 111
  preprocessor bo: -nobrute
  preprocessor telnet_decode
  preprocessor portscan: $HOME_NET 4 3 portscan.log

and the output from snort -V which should be

  Version 1.8.3 (Build 88)

If are not using the above version and preprocessors, do so and let me know
how it goes.

On Mon, Jan 07, 2002 at 05:26:41PM +1300, russell wrote:
> Greetings All,
> 	     A while back I reported that I was getting 'garbage' appended to
> the packets logged by snort and that these packets also had 0 for the
> MAC address.
> 
> Since my initial report I have installed a new instance of snort (1.8.3)
> on a different system and verified that the problem still exists.  I
> also reinstalled libpcap using the latest from www.tcpdump.org.
> 
> Both systems I tested this on were running Debian linux:
> Linux debian 2.4.12-itss1 #1 Mon Oct 15 06:55:58 NZDT 2001 i686 unknown
> 
> Appended is an example of an offending log record.  I believe that the
> real record terminates after "Connection close" and that the rest of the
> 'packet' is just stuff that was in the buffer from some other packet.
> 
> I suspect that the packet length is getting corrupted somewhere along
> the line...  Hmmm I just noticed that the IP Type is also 0x0 for these
> packets.  So it looks like something is overwriting the ethernet headers
> and the first part of the IP header including the length.
> 
> I originally had a problem with an older version of snort (1.8.0 ?)
> where I would get the alerts (with 0 MAC addresses) but no packets
> logged.  Marty advised me to upgrade to 1.8.2 as there had been a bug in
> the packet logging code. When I did so I got the current behaviour. I
> suspect that this fix was incomplete in some way and something in my
> setup tickles this bug.
> 
> What I find totally baffling is why this should just affect *me*!
> 
> Cheers, Russell.
> 
> [**] WEB-IIS .... access [**]
> 01/07-15:28:20.028524 0:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x0 len:0x25A
> 130.123.128.24:3024 -> 130.216.191.67:80 TCP TTL:240 TOS:0x10 ID:0
> IpLen:20 DgmLen:588
> ***AP*** Seq: 0x215073A1  Ack: 0x74F26D2D  Win: 0x40E8  TcpLen: 20
> 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 5C  GET /scripts/..\
> 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33  ../winnt/system3
> 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 72  2/cmd.exe?/c+dir
> 20 72 20 64 69 72 20 48 54 54 50 2F 31 2E 30 0D   r dir HTTP/1.0.
> 0A 48 6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E  .Host: www..Conn
> 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A  nection: close..
> 0D 0A 69 74 74 6C 65 20 68 6F 74 21 26 6E 62 73  ..ittle hot!&nbs
> 70 3B 20 57 65 20 77 65 6E 74 20 74 6F 20 74 68  p; We went to th
> 65 20 53 68 72 75 62 62 65 72 79 20 66 6F 72 20  e Shrubbery for
> 61 20 64 72 69 6E 6B 20 61 6E 64 20 77 61 74 63  a drink and watc
> 68 65 64 20 74 68 65 20 6F 6E 65 20 61 6E 64 20  hed the one and
> 6F 6E 6C 79 20 53 61 6D 6F 61 6E 20 42 6F 62 20  only Samoan Bob
> 4D 61 72 6C 65 79 20 6A 61 6D 20 77 69 74 68 20  Marley jam with
> 68 69 73 20 6D 61 74 65 20 2D 20 79 6F 75 20 6D  his mate - you m
> 75 73 74 20 74 65 6C 6C 20 45 73 74 68 65 72 21  ust tell Esther!
> 26 6E 62 73 70 3B 20 41 6C 73 6F 20 63 6F 75 6C    Also coul
> 64 20 79 6F 75 20 73 61 79 20 74 68 61 6E 6B 73  d you say thanks
> 20 74 6F 20 59 76 6F 6E 6E 65 20 66 6F 72 20 74   to Yvonne for t
> 68 65 20 6C 65 61 76 69 6E 67 20 6D 65 61 6C 20  he leaving meal
> 70 61 72 74 69 63 75 6C 61 72 6C 79 20 74 68 65  particularly the
> 20 63 68 61 6D 70 65 72 73 20 2D 20 61 6E 64 26   champers - and&
> 6E 62 73 70 3B 68 65 72 65 27 73 20 6D 79 20 55  nbsp;here's my U
> 4B 20 61 64 64 72 65 73 73 20 28 74 68 6F 75 67  K address (thoug
> 68 74 20 4D 61 72 79 20 64 6F 65 73 20 68 61 76  ht Mary does hav
> 65 20 69 74 20 75 70 73 74 61 69 72 73 21 29 3C  e it upstairs!)<
> 2F 50 3E 0D 0A 3C 50 3E 34 35 20 41 6C 62 65 72  /P>..<P>45 Alber
> 74 20 52 6F 61 64 2C 20 57 61 6C 74 68 61 6D 73  t Road, Walthams
> 74 6F 77 2C 20 4C 6F 6E 64 6F 6E 2C 20 45 31 37  tow, London, E17
> 20 37 50 52 2E 3C 2F 50 3E 0D 0A 3C 50 3E 54 68   7PR.</P>..<P>Th
> 61 6E 6B 73 20 6D 79 20 64 65 61 72 2E 3C 2F 50  anks my dear.</P
> 3E 0D 0A 3C 50 3E 41 6E 64 20 68 65 6C 6C 6F 20  >..<P>And hello
> 74 6F 20 74 68 65 20 44 6D 20 74 65 61 6D 3C 2F  to the Dm team</
> 50 3E 0D 0A 3C 50 3E 57 69 6C 6C 20 77 72 69 74  P>..<P>Will writ
> 65 20 73 6F 6F 6E 20 28 65 70 2D 61 6C 69 76 65  e soon (ep-alive
> 0D 0A                                            ..
> 
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
> 
> 
> I am installing from the tarball so I can add some diagnostics if anyone
> has suggestions.
> 
> -- 
> Russell Fulton, Computer and Network Security Officer
> The University of Auckland,  New Zealand
> 
> 
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

-- 
Phil Wood, cpw at ...440...





More information about the Snort-users mailing list