[Snort-users] Re: Garbage in snort logs
roesch at ...1935...
Thu Jan 10 20:59:02 EST 2002
Ok, go get it, build 90 is in CVS with corrected stream4 stream_size
calculation code. Let me know if this fixes the problem.
Martin Roesch wrote:
> The stream_size calculation in stream4 is what's causing the problem,
> I'm working on it as we speak. I'll be checking in a new build in a
> bit, I'll let you guys know when it's ready.
> Russell Fulton wrote:
> > > From: Andreas =?iso-8859-1?q?=D6stling?= <andreaso at ...236...>
> > > Hello,
> > >
> > > I experience the same problems as Russell from time to time.
> > > I was running 1.8.3 (release version), but unfortunately build 89 did not
> > > solve all problems. The ethernet headers now seem to be correct, but the
> > > payload is still messed up.
> > >
> > [ snip ]
> > > This is just a test machine so I'll try to experiment a bit. Any clever
> > > suggestions about what may be worth trying?
> > > To me it seems like its always those unicode requests that mess things up.
> > > Could there also be some problem with http_decode?
> > Agreed.
> > >
> > > (did build 89 solve your problems, Russell?)
> > no, my experience mirrors yours. I please I no longer alone I was
> > starting to think I must have been imagining these problems ;-)
> > Here is some mail I sent to Marty this morning which has some other
> > ideas on this problem...
> > Hi Marty,
> > I have just been corresponding with Brennan Bakke
> > <bbakke at ...4534...>
> > who reported finding bits of snort rules in logged ICMP packets (on the
> > security focus incidents list). I told him about the build 89 fixes and
> > suggested that these might fix his problems. Someone else pointed out
> > (quite rightly) that the ICMP packets should not go anywhere near the
> > stream4 preprocessor!
> > So I wonder if there is a bug somewhere much lower down in the stack
> > which is mangling some lenght and causing both these problems.
> > In my case turning off he stream4 stuff made makes these alerts go away
> > but that does *not* necessarily imply that it is the stream4 stuff that
> > is causing the problem in the first place.
> > Cheers, Russell.
> > --
> > Russell Fulton, Computer and Network Security Officer
> > The University of Auckland, New Zealand
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
> Sourcefire: Professional Snort Sensor and Management Console appliances
> roesch at ...1935... - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> Snort-users list archive:
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...1935... - http://www.sourcefire.com
Snort: Open Source Network IDS - http://www.snort.org
More information about the Snort-users