[Snort-users] snort 1.8.3 splicing packets

Ryan Russell ryan at ...35...
Thu Jan 10 10:18:02 EST 2002


On Thu, 10 Jan 2002, Scott Nursten wrote:

> 1. Snort seems to be splicing packets - i.e. If I nmap a machine and
> surf the web at the same time, I get ICMP/HTTP spliced packets in my
> MySQL DB. At first it looked really scary, like ICMP tunnelling or
> something to that effect, but when I realised that I controlled what
> went into the ICMP packet, I dropped a Trinux box on the network and
> dumped the packets alongside snort. The result was astounding - no HTTP
> data in my ICMP packets  after all :)

Russell Fulton has recently reported similar results on the Snort-users
list recently.  In his case, the problem appears to be related to the
stream4 preprocessor.  As a test, could you try temporarily running with
that shut off for a bit, and see if the problem is still there?  Marty has
reported that he has made some changes to it to address this in the
latest 1.8.3 CVS copy.

					Ryan





More information about the Snort-users mailing list