Snort mailing list archives

Re: Garbage in snort logs

From: Russell Fulton <R.FULTON () auckland ac nz>
Date: 11 Jan 2002 09:43:58 +1300

From: Andreas =?iso-8859-1?q?=D6stling?= <andreaso () it su se>
Hello,

I experience the same problems as Russell from time to time.
I was running 1.8.3 (release version), but unfortunately build 89 did not 
solve all problems. The ethernet headers now seem to be correct, but the 
payload is still messed up.

[ snip ]

This is just a test machine so I'll try to experiment a bit. Any clever 
suggestions about what may be worth trying?
To me it seems like its always those unicode requests that mess things up. 
Could there also be some problem with http_decode?


Agreed.


(did build 89 solve your problems, Russell?)


no, my experience mirrors yours.  I please I no longer alone I was
starting to think I must have been imagining these problems ;-)

Here is some mail I sent to Marty this morning which has some other
ideas on this problem...

Hi Marty,
        I have just been corresponding with Brennan Bakke
<bbakke () solcon nl>
who reported finding bits of snort rules in logged ICMP packets (on the 
security focus incidents list).  I told him about the build 89 fixes and
suggested that these might fix his problems.  Someone else pointed out
(quite rightly) that the ICMP packets should not go anywhere near the 
stream4 preprocessor!

So I wonder if there is a bug somewhere much lower down in the stack
which is mangling some lenght and causing both these problems.

In my case turning off he stream4 stuff made makes these alerts go away
but that does *not* necessarily imply that it is the stream4 stuff that
is causing the problem in the first place. 

Cheers, Russell. 


-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Re: Garbage in snort logs, (continued)
- - Re: Garbage in snort logs Martin Roesch (Jan 08)
  - Re: Garbage in snort logs Martin Roesch (Jan 08)
    - Re: Garbage in snort logs Andreas Östling (Jan 10)
    - "Connnection closed"? (spelled wrong!) Edwin Eefting (Jan 10)
    - Re: "Connnection closed"? (spelled wrong!) John Sage (Jan 13)
- Re: Garbage in snort logs russell (Jan 08)
  - Re: Garbage in snort logs Phil Wood (Jan 09)
    - Getting an error using -r Ken Pickering (Jan 09)
    - Re: Getting an error using -r Ken Pickering (Jan 09)
    - CVS version not finding pcap includes Bob Van Cleef (Jan 09)
- Re: Garbage in snort logs Russell Fulton (Jan 10)
  - Re: Garbage in snort logs Frank (Jan 10)
  - Re: Re: Garbage in snort logs Martin Roesch (Jan 10)
    - Re: Re: Garbage in snort logs Martin Roesch (Jan 10)