[Snort-users] Snort Wierdness on a NetWinder

rewt at ...5367... rewt at ...5367...
Thu Mar 21 13:17:29 EST 2002


So I've gone through several versions of snort, and a single known working
copy of libpcap (confirmed with tcpdump and others). While tcpdump and
other libpcap-related things work fine, snort just does something wierd.

When I monitor traffic, no matter what mode I use (sniffer, logger,
ids) it exhibits this problem. Note that I've managed to get snort working
on dozens of machines that -aren't- netwinders, so I suspect it might be
something StrongArm related.

Anyways, this is what happens ; the destination ip is replaced with the
source ip, and the source ip gets replaced by a incrementing random ip.

I think an example is in order. The client is 192.168.100.8, connecting to
a ssh server on 192.168.100.166.

packet    source ip/port             destination ip/port
----------------------------------------------------------
  1        192.168.58.345:1168        192.168.100.8:22
  2        192.168.58.346:22          192.168.100.166:1168
  3        192.168.58.347:1168        192.168.100.8:22
  4        192.168.58.348:22          192.168.100.166:1168

and so on.

Now there are several peculiar things which kind of disprove my theory
that this might be endian or processor related. First off is the fact that
the port numbers remain consistent, and the second is the fact that the
source ip's increment. Note that the ip's don't always increment by 1,
sometimes it's by 5 or 10 or a whole subnet !

Anyways, I'm stuck on this one. I looked at the FAQ, cvs commit logs for
snort, and did some google searching, all to no avail.

Any help would be appreciated, my NetWinder is getting sad.
Cheers.

Jonathan





More information about the Snort-users mailing list