[Snort-users] Re: Garbage in snort logs

Russell Fulton R.FULTON at ...3809...
Thu Jan 10 12:45:02 EST 2002


> From: Andreas =?iso-8859-1?q?=D6stling?= <andreaso at ...236...>
> Hello,
> 
> I experience the same problems as Russell from time to time.
> I was running 1.8.3 (release version), but unfortunately build 89 did not 
> solve all problems. The ethernet headers now seem to be correct, but the 
> payload is still messed up.
> 
[ snip ]

> This is just a test machine so I'll try to experiment a bit. Any clever 
> suggestions about what may be worth trying?
> To me it seems like its always those unicode requests that mess things up. 
> Could there also be some problem with http_decode?

Agreed.

> 
> (did build 89 solve your problems, Russell?)

no, my experience mirrors yours.  I please I no longer alone I was
starting to think I must have been imagining these problems ;-)

Here is some mail I sent to Marty this morning which has some other
ideas on this problem...

Hi Marty,
        I have just been corresponding with Brennan Bakke
<bbakke at ...4534...>
who reported finding bits of snort rules in logged ICMP packets (on the 
security focus incidents list).  I told him about the build 89 fixes and
suggested that these might fix his problems.  Someone else pointed out
(quite rightly) that the ICMP packets should not go anywhere near the 
stream4 preprocessor!

So I wonder if there is a bug somewhere much lower down in the stack
which is mangling some lenght and causing both these problems.

In my case turning off he stream4 stuff made makes these alerts go away
but that does *not* necessarily imply that it is the stream4 stuff that
is causing the problem in the first place. 

Cheers, Russell. 


-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand





More information about the Snort-users mailing list