[Snort-users] Garbage in snort logs
roesch at ...1935...
Tue Jan 8 21:52:04 EST 2002
I made some tweaks to stream4 tonight that will hopefully clear up
your problem, check out the latest code from cvs if you're interested
(the SNORT_1_8 branch, not the 1.9-dev code). This is build 89. It now
fills in the Ethernet headers appropriately and is a little tigher in
how it puts things together, hopefully it'll clear up your problem. Let
me know how it goes.
> I have made some progress in working out what is going on. I now have
> two snort sensors working in parallel so I can twiddle the config file
> of one and see how the logs compare to the 'standard' config.
> I have now established that commenting out the 'preprocessor
> stream4_reassemble' has the affect of not logging the packets with MAC
> address 0. I.e. I don't get alerts at all for these events when the
> reassembling is not enabled. This suggests that the problems are
> occurring in the reassembling code.
> I tracked one alert that was logged by the snort instance doing
> reassembling and not logged by the other. I veirfied from our argus logs
> that there was a session at this time with the logged port numbers but
> we failed to find anything in the web server logs that matched the
> logged content of the packet (an attempt to execute command.exe by
> escaping from _vti_bin).
> This suggests to me that there is packet corruption taking place in the
> packet reassembling *before* the pattern matching takes place and that
> packets from different tcp streams are being mixed. From the look of the
> data in the logged packets I would guess that some length are not being
> correctly set so the data from some previous packet gets appended.
> Russell Fulton, Computer and Network Security Officer
> The University of Auckland, New Zealand
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
More information about the Snort-users