[Snort-users] Garbage in snort logs
R.FULTON at ...3809...
Tue Jan 8 17:06:16 EST 2002
I have made some progress in working out what is going on. I now have
two snort sensors working in parallel so I can twiddle the config file
of one and see how the logs compare to the 'standard' config.
I have now established that commenting out the 'preprocessor
stream4_reassemble' has the affect of not logging the packets with MAC
address 0. I.e. I don't get alerts at all for these events when the
reassembling is not enabled. This suggests that the problems are
occurring in the reassembling code.
I tracked one alert that was logged by the snort instance doing
reassembling and not logged by the other. I veirfied from our argus logs
that there was a session at this time with the logged port numbers but
we failed to find anything in the web server logs that matched the
logged content of the packet (an attempt to execute command.exe by
escaping from _vti_bin).
This suggests to me that there is packet corruption taking place in the
packet reassembling *before* the pattern matching takes place and that
packets from different tcp streams are being mixed. From the look of the
data in the logged packets I would guess that some length are not being
correctly set so the data from some previous packet gets appended.
Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand
More information about the Snort-users