[Snort-users] Re: Garbage in snort logs

Martin Roesch roesch at ...1935...
Thu Jan 10 20:59:02 EST 2002


Ok, go get it, build 90 is in CVS with corrected stream4 stream_size
calculation code.  Let me know if this fixes the problem.

     -Marty

Martin Roesch wrote:
> 
> The stream_size calculation in stream4 is what's causing the problem,
> I'm working on it as we speak.  I'll be checking in a new build in a
> bit, I'll let you guys know when it's ready.
> 
>      -Marty
> 
> Russell Fulton wrote:
> >
> > > From: Andreas =?iso-8859-1?q?=D6stling?= <andreaso at ...236...>
> > > Hello,
> > >
> > > I experience the same problems as Russell from time to time.
> > > I was running 1.8.3 (release version), but unfortunately build 89 did not
> > > solve all problems. The ethernet headers now seem to be correct, but the
> > > payload is still messed up.
> > >
> > [ snip ]
> >
> > > This is just a test machine so I'll try to experiment a bit. Any clever
> > > suggestions about what may be worth trying?
> > > To me it seems like its always those unicode requests that mess things up.
> > > Could there also be some problem with http_decode?
> >
> > Agreed.
> >
> > >
> > > (did build 89 solve your problems, Russell?)
> >
> > no, my experience mirrors yours.  I please I no longer alone I was
> > starting to think I must have been imagining these problems ;-)
> >
> > Here is some mail I sent to Marty this morning which has some other
> > ideas on this problem...
> >
> > Hi Marty,
> >         I have just been corresponding with Brennan Bakke
> > <bbakke at ...4534...>
> > who reported finding bits of snort rules in logged ICMP packets (on the
> > security focus incidents list).  I told him about the build 89 fixes and
> > suggested that these might fix his problems.  Someone else pointed out
> > (quite rightly) that the ICMP packets should not go anywhere near the
> > stream4 preprocessor!
> >
> > So I wonder if there is a bug somewhere much lower down in the stack
> > which is mangling some lenght and causing both these problems.
> >
> > In my case turning off he stream4 stuff made makes these alerts go away
> > but that does *not* necessarily imply that it is the stream4 stuff that
> > is causing the problem in the first place.
> >
> > Cheers, Russell.
> >
> > --
> > Russell Fulton, Computer and Network Security Officer
> > The University of Auckland,  New Zealand
> >
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users at lists.sourceforge.net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://www.geocrawler.com/redir-sf.php3?list=snort-users
> 
> --
> Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
> Sourcefire: Professional Snort Sensor and Management Console appliances
> roesch at ...1935... - http://www.sourcefire.com
> Snort: Open Source Network IDS - http://www.snort.org
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users

--
Martin Roesch - Founder/CEO, Sourcefire Inc. - (410)552-6999
Sourcefire: Professional Snort Sensor and Management Console appliances
roesch at ...1935... - http://www.sourcefire.com  
Snort: Open Source Network IDS - http://www.snort.org




More information about the Snort-users mailing list