Hosting Provided By

[Snort-devel] Merged packets - bug

From: Martin Olsson <elof(at)sentor.se>
Date: Fri Apr 25 2003 - 10:08:44 EDT

I've found a critical bug, but I'm not sure if it is in snort, libpcap, in my hardware or somewhere else.

Bug description:
When snort log an alert, the logged packet is sometimes corrupt. It is a merge of the offending packet and some other data. The first part of the packet is the real offending packet, but at the end I see the payload from some completely other packet. The logged packet ofcourse has a bad tcp checksum.

Have anyone else experienced the same thing?

I have twelve IBM-servers with two built-in Broadcom Gigabit ethernet interfaces. All twelve servers run snort 1.9.1 on FreeBSD 4.7 and all twelve of them have logged one or more packets with merged payload.

I think the bug is in snort since I think I would experience all kinds of other errors if the bug was located in the IBM-hardware, the Broadcom-interface, the FreeBSD-broadcom (bge) driver or in libpcap.

All my snorts are configured to log to file and mysql. Both destinations get a copy of this corrupt packet.

/Martin

This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven.
http://thinkgeek.com/sf

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Fri Apr 25 10:20:16 2003

Do you need help?

This message: [ Message body ]
Next message: Juan Manzano: "Re: [Snort-devel] Snort 2.0 Segmentation Fault"
Previous message: Chris Green: "Re: [Snort-devel] How can i extract the destination ip address from a packet??"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:05 EDT