[Snort-users] snort 1.8.3 splicing packets

Scott Nursten scottn at ...4526...
Thu Jan 10 09:17:04 EST 2002


Greetings all,

Anyone had strange behaviour out of Snort 1.8.3? I've had two really
strange incidents being:

1. Snort seems to be splicing packets - i.e. If I nmap a machine and
surf the web at the same time, I get ICMP/HTTP spliced packets in my
MySQL DB. At first it looked really scary, like ICMP tunnelling or
something to that effect, but when I realised that I controlled what
went into the ICMP packet, I dropped a Trinux box on the network and
dumped the packets alongside snort. The result was astounding - no HTTP
data in my ICMP packets  after all :) 

2. A friend of mine has just installed 1.8.3 and seems to be having some
difficulty reading some of the tcpdump format log files with tcpdump ||
snort. It seems that it has some difficulties with the pcap. 

tcpdump: pcap_loop: bogus savefile header

This is very strange to me as both the tcpdump and the snort were
compiled with a fresh 0.6.2 pcap from tcpdump.org. What's even stranger
is he can read SOME of the files that snort writes, but not others!!!  

Any ideas, questions, comments?! 

Regards, 

Scott Nursten 






More information about the Snort-users mailing list