[Snort-users] Garbage in snort logs

Jim Forster jforster at ...176...
Mon Jan 7 08:48:15 EST 2002


That's the exact setup I'm running here on FreeBSD 4.4 - and
occasionally getting packets like those you describe.
Next one I catch, I'll forward to the list.
It seems that forcing Snort to monitor one NIC did the trick in
stopping them as I haven't seen one since doing so.

---==On Mon, 7 Jan 2002 09:32:50 -0700, Phil Wood wrote==---
>Russell,
>
>Please send me your config file which should have something like
this
>for preprocessors:
>
> preprocessor frag2
> preprocessor stream4: detect_scans
> preprocessor stream4_reassemble
> preprocessor http_decode: 80 -unicode -cginull
> preprocessor rpc_decode: 111
> preprocessor bo: -nobrute
> preprocessor telnet_decode
> preprocessor portscan: $HOME_NET 4 3 portscan.log
>
>and the output from snort -V which should be
>
> Version 1.8.3 (Build 88)
>
>If are not using the above version and preprocessors, do so and let
>me know
>how it goes.
>
>On Mon, Jan 07, 2002 at 05:26:41PM +1300, russell wrote:
>> Greetings All,
>>        A while back I reported that I was getting 'garbage'
>>appended to
>> the packets logged by snort and that these packets also had 0 for
>>the
>> MAC address.
>>
>> Since my initial report I have installed a new instance of snort
>>(1.8.3)
>> on a different system and verified that the problem still exists.
>>I
>> also reinstalled libpcap using the latest from www.tcpdump.org.
>>
>> Both systems I tested this on were running Debian linux:
>> Linux debian 2.4.12-itss1 #1 Mon Oct 15 06:55:58 NZDT 2001 i686
>>unknown
>>
>> Appended is an example of an offending log record.  I believe that
>>the
>> real record terminates after "Connection close" and that the rest
>>of the
>> 'packet' is just stuff that was in the buffer from some other
>>packet.
>>
>> I suspect that the packet length is getting corrupted somewhere
>>along
>> the line...  Hmmm I just noticed that the IP Type is also 0x0 for
>>these
>> packets.  So it looks like something is overwriting the ethernet
>>headers
>> and the first part of the IP header including the length.
>>
>> I originally had a problem with an older version of snort (1.8.0
?)
>> where I would get the alerts (with 0 MAC addresses) but no packets
>> logged.  Marty advised me to upgrade to 1.8.2 as there had been a
>>bug in
>> the packet logging code. When I did so I got the current
>>behaviour. I
>> suspect that this fix was incomplete in some way and something in
>>my
>> setup tickles this bug.
>>
>> What I find totally baffling is why this should just affect *me*!
>>
>> Cheers, Russell.
>>
>> [**] WEB-IIS .... access [**]
>> 01/07-15:28:20.028524 0:0:0:0:0:0 -> 0:0:0:0:0:0 type:0x0
len:0x25A
>> 130.123.128.24:3024 -> 130.216.191.67:80 TCP TTL:240 TOS:0x10 ID:0
>> IpLen:20 DgmLen:588
>> ***AP*** Seq: 0x215073A1  Ack: 0x74F26D2D  Win: 0x40E8  TcpLen: 20
>> 47 45 54 20 2F 73 63 72 69 70 74 73 2F 2E 2E 5C  GET /scripts/..\
>> 2E 2E 2F 77 69 6E 6E 74 2F 73 79 73 74 65 6D 33  ../winnt/system3
>> 32 2F 63 6D 64 2E 65 78 65 3F 2F 63 2B 64 69 72  2/cmd.exe?/c+dir
>> 20 72 20 64 69 72 20 48 54 54 50 2F 31 2E 30 0D   r dir HTTP/1.0.
>> 0A 48 6F 73 74 3A 20 77 77 77 0D 0A 43 6F 6E 6E  .Host: www..Conn
>> 6E 65 63 74 69 6F 6E 3A 20 63 6C 6F 73 65 0D 0A  nection: close..
>> 0D 0A 69 74 74 6C 65 20 68 6F 74 21 26 6E 62 73  ..ittle hot!&nbs
>> 70 3B 20 57 65 20 77 65 6E 74 20 74 6F 20 74 68  p; We went to th
>> 65 20 53 68 72 75 62 62 65 72 79 20 66 6F 72 20  e Shrubbery for
>> 61 20 64 72 69 6E 6B 20 61 6E 64 20 77 61 74 63  a drink and watc
>> 68 65 64 20 74 68 65 20 6F 6E 65 20 61 6E 64 20  hed the one and
>> 6F 6E 6C 79 20 53 61 6D 6F 61 6E 20 42 6F 62 20  only Samoan Bob
>> 4D 61 72 6C 65 79 20 6A 61 6D 20 77 69 74 68 20  Marley jam with
>> 68 69 73 20 6D 61 74 65 20 2D 20 79 6F 75 20 6D  his mate - you m
>> 75 73 74 20 74 65 6C 6C 20 45 73 74 68 65 72 21  ust tell Esther!
>> 26 6E 62 73 70 3B 20 41 6C 73 6F 20 63 6F 75 6C    Also coul
>> 64 20 79 6F 75 20 73 61 79 20 74 68 61 6E 6B 73  d you say thanks
>> 20 74 6F 20 59 76 6F 6E 6E 65 20 66 6F 72 20 74   to Yvonne for t
>> 68 65 20 6C 65 61 76 69 6E 67 20 6D 65 61 6C 20  he leaving meal
>> 70 61 72 74 69 63 75 6C 61 72 6C 79 20 74 68 65  particularly the
>> 20 63 68 61 6D 70 65 72 73 20 2D 20 61 6E 64 26   champers - and&
>> 6E 62 73 70 3B 68 65 72 65 27 73 20 6D 79 20 55  nbsp;here's my U
>> 4B 20 61 64 64 72 65 73 73 20 28 74 68 6F 75 67  K address (thoug
>> 68 74 20 4D 61 72 79 20 64 6F 65 73 20 68 61 76  ht Mary does hav
>> 65 20 69 74 20 75 70 73 74 61 69 72 73 21 29 3C  e it upstairs!)<
>> 2F 50 3E 0D 0A 3C 50 3E 34 35 20 41 6C 62 65 72  /P>..<P>45 Alber
>> 74 20 52 6F 61 64 2C 20 57 61 6C 74 68 61 6D 73  t Road, Walthams
>> 74 6F 77 2C 20 4C 6F 6E 64 6F 6E 2C 20 45 31 37  tow, London, E17
>> 20 37 50 52 2E 3C 2F 50 3E 0D 0A 3C 50 3E 54 68   7PR.</P>..<P>Th
>> 61 6E 6B 73 20 6D 79 20 64 65 61 72 2E 3C 2F 50  anks my dear.</P
>> 3E 0D 0A 3C 50 3E 41 6E 64 20 68 65 6C 6C 6F 20  >..<P>And hello
>> 74 6F 20 74 68 65 20 44 6D 20 74 65 61 6D 3C 2F  to the Dm team</
>> 50 3E 0D 0A 3C 50 3E 57 69 6C 6C 20 77 72 69 74  P>..<P>Will writ
>> 65 20 73 6F 6F 6E 20 28 65 70 2D 61 6C 69 76 65  e soon (ep-alive
>> 0D 0A                                            ..
>>
>>
>>=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

>>=+=+=+
>>
>>
>> I am installing from the tarball so I can add some diagnostics if
>>anyone
>> has suggestions.
>>
>> --
>> Russell Fulton, Computer and Network Security Officer
>> The University of Auckland,  New Zealand
>>
>>
>>
>>
>> _______________________________________________
>> Snort-users mailing list
>> Snort-users at lists.sourceforge.net
>> Go to this URL to change user options or unsubscribe:
>> https://lists.sourceforge.net/lists/listinfo/snort-users
>> Snort-users list archive:
>> http://www.geocrawler.com/redir-sf.php3?list=snort-users
>


--------------------------------------------------------------------
Sleep: A completely inadequate substitute for caffeine.

Jim Forster, jforster at ...176... on 01/07/2002
Network Administrator
RapidNet, A Golden West Company







More information about the Snort-users mailing list