[Snort-users] stream4_reassemble and logs

sekure sekure at ...11827...
Thu Jul 8 09:27:02 EDT 2004


I just upgraded to Snort 2.2.0RC1 on Solaris 8 and noticed a curious "feature".

I have stream4 and stream4_reassemble preprocessors enabled and log
things in tcpdump format as well as to a unified log facility for
insertion into MySQL. In previous versions of Snort,
stream4_reassemble used to mangle packets pretty badly, and output
packets to pcap and the unified log that would not be recognized as IP
packets because headers were all messed up. Best I could tell, snort
would insert extra data at the beginning of the packet and everythign
would shift "right", pushing some the last 6 or so bytes of the
destination ether address into the beginning of IP header. As a result
barnyard wouldn't process them and they would never make it into my
database.  I have plenty of examples, but for some reason i only
noticed this happening with FTP traffic.

Anyways, I upgraded to 2.2.0RC1 and suddenly started noticing certain
FTP alerts in my database that I never saw before.  When i went to
investigate, the pcap file on the sensor would still be mangled beyond
recognition (same as before), BUT the unified log would be accurate,
and if I ran it through barnyard and told it to recreate a pcap file,
i would have 4 (or however many were in the stream) correct,
individual packets, which get logged into the database.

So, EITHER, the unified output is messed up and not writing the
packets as a single reassembled packet when it should (which by the
way I like because i can finally see just what the heck i was

OR, the stream4 reassembly issue got fixed, but somehow the pcap log
function still isn't working correctly.

Either way, I am a little confused.  Definitely better off than i was
before, but still wishing for improvement. :)  Just wanted to dev team
to be aware.

Contact me if you want pcap samples of any of this.

More information about the Snort-users mailing list