[Snort-users] Snort swapping src and dst in binary log?

David Gordon dgordon at ...8400...
Wed Jul 9 08:55:18 EDT 2003

I have a situation where snort seems to be swapping the source IP address
with the destination IP address and swapping the source port with the
destination port when it writes to a binary log file.

Snort is Version 2.0.0 (Build 72) running on linux.

I'm starting snort with the -bdeo, -c, -l and -i options. It is running with
the preprocessors included in the downloaded conf.

On the same computer and same interface I'm also running tcpdump -w (with
default snaplen).

I have been getting "[**] [1:1432:4] P2P GNUTella GET [**]" alerts
occasionally when a certain web page of ours gets a hit. This particular
rule alerts when $HOME_NET any -> $EXTERNAL_NET !80 traffic has "GET " in
the content. The alert shows our server as the src host, port 80 as the src
port, an internet ip address as the dest host and some high port as the dest
port. This agrees with the binary log written for that packet by snort.

The thing is, when I look at the binary file written by tcpdump, the packet
with the exact same timestamp and sequence number shows our server and port
80 as the destination host and port, and the internet ip and high port as
the source host and port. This agrees with activity I see recorded in both
the firewall and web server logs at that time. It seems that snort has
incorrectly handled the packet.

Any ideas of what could be causing this? 

Two observations:

1. The contents of the packets logged by the snort alert typically seem to
contain a lot of http content that seems to be unrelated to what should be
retrieved from our web site. I can't tell whether snort is corrupting the
binary file by including data from un-related packets or if there is
something fishy going on with these particular web pages. Given the mixup of
the header info, I suspect that snort is messing up for some reason.

2. The particular page that I've observed this on is a .NET developed aspx
It doesn't seem to happen every time this page is loaded. However, since
snort is only logging packets that generate alerts, it might be happening
more than is logged.

Any suggestions as to how to troubleshoot this?

More information about the Snort-users mailing list