[Snort-users] Garbage in snort logs
cpw at ...440...
Wed Jan 9 09:18:02 EST 2002
On Wed, Jan 09, 2002 at 02:04:38PM +1300, russell wrote:
> I have made some progress in working out what is going on. I now have
> two snort sensors working in parallel so I can twiddle the config file
> of one and see how the logs compare to the 'standard' config.
> I have now established that commenting out the 'preprocessor
> stream4_reassemble' has the affect of not logging the packets with MAC
> address 0. I.e. I don't get alerts at all for these events when the
> reassembling is not enabled. This suggests that the problems are
> occurring in the reassembling code.
> I tracked one alert that was logged by the snort instance doing
> reassembling and not logged by the other. I veirfied from our argus logs
> that there was a session at this time with the logged port numbers but
> we failed to find anything in the web server logs that matched the
> logged content of the packet (an attempt to execute command.exe by
> escaping from _vti_bin).
> This suggests to me that there is packet corruption taking place in the
> packet reassembling *before* the pattern matching takes place and that
> packets from different tcp streams are being mixed. From the look of the
> data in the logged packets I would guess that some length are not being
> correctly set so the data from some previous packet gets appended.
> Russell Fulton, Computer and Network Security Officer
> The University of Auckland, New Zealand
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
Phil Wood, cpw at ...440...
More information about the Snort-users