[Snort-users] snort 1.8.3 splicing packets

Martin Roesch roesch at ...1935...
Thu Jan 10 10:29:04 EST 2002

Scott Nursten wrote:
> Greetings all,
> Anyone had strange behaviour out of Snort 1.8.3? I've had two really
> strange incidents being:
> 1. Snort seems to be splicing packets - i.e. If I nmap a machine and
> surf the web at the same time, I get ICMP/HTTP spliced packets in my
> MySQL DB. At first it looked really scary, like ICMP tunnelling or
> something to that effect, but when I realised that I controlled what
> went into the ICMP packet, I dropped a Trinux box on the network and
> dumped the packets alongside snort. The result was astounding - no HTTP
> data in my ICMP packets  after all :)

This is being worked on, we use a common scratch buffer for reassembled
tcp streams and old data is being left in the buffer for some reason. 
This is being actively worked on.

> 2. A friend of mine has just installed 1.8.3 and seems to be having some
> difficulty reading some of the tcpdump format log files with tcpdump ||
> snort. It seems that it has some difficulties with the pcap.
> tcpdump: pcap_loop: bogus savefile header
> This is very strange to me as both the tcpdump and the snort were
> compiled with a fresh 0.6.2 pcap from tcpdump.org. What's even stranger
> is he can read SOME of the files that snort writes, but not others!!!

Is one of the systems a RedHat linux box (and why are you reporting bugs
without following the BUGS file...)?  If so, that's probably your
problem, RedHat in their infinite wisdom decided to change the pcap
headers for their distro, breaking the cross-platform nature of the pcap
format.  Check out pcapedit that comes with Ethereal, it should be able
to fix the problems.


Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...1935... - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org

More information about the Snort-users mailing list