[Snort-users] Re: Garbage in snort logs

Martin Roesch roesch at ...1935...
Thu Jan 10 13:55:04 EST 2002


The stream_size calculation in stream4 is what's causing the problem,
I'm working on it as we speak.  I'll be checking in a new build in a
bit, I'll let you guys know when it's ready.

     -Marty

Russell Fulton wrote:
> 
> > From: Andreas =?iso-8859-1?q?=D6stling?= <andreaso at ...236...>
> > Hello,
> >
> > I experience the same problems as Russell from time to time.
> > I was running 1.8.3 (release version), but unfortunately build 89 did not
> > solve all problems. The ethernet headers now seem to be correct, but the
> > payload is still messed up.
> >
> [ snip ]
> 
> > This is just a test machine so I'll try to experiment a bit. Any clever
> > suggestions about what may be worth trying?
> > To me it seems like its always those unicode requests that mess things up.
> > Could there also be some problem with http_decode?
> 
> Agreed.
> 
> >
> > (did build 89 solve your problems, Russell?)
> 
> no, my experience mirrors yours.  I please I no longer alone I was
> starting to think I must have been imagining these problems ;-)
> 
> Here is some mail I sent to Marty this morning which has some other
> ideas on this problem...
> 
> Hi Marty,
>         I have just been corresponding with Brennan Bakke
> <bbakke at ...4534...>
> who reported finding bits of snort rules in logged ICMP packets (on the
> security focus incidents list).  I told him about the build 89 fixes and
> suggested that these might fix his problems.  Someone else pointed out
> (quite rightly) that the ICMP packets should not go anywhere near the
> stream4 preprocessor!
> 
> So I wonder if there is a bug somewhere much lower down in the stack
> which is mangling some lenght and causing both these problems.
> 
> In my case turning off he stream4 stuff made makes these alerts go away
> but that does *not* necessarily imply that it is the stream4 stuff that
> is causing the problem in the first place.
> 
> Cheers, Russell.
> 
> --
> Russell Fulton, Computer and Network Security Officer
> The University of Auckland,  New Zealand
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...1935... - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org




More information about the Snort-users mailing list