Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: snort.org > snort-devel > 03 > 080695.html (Request Expert snort.org Support)

RE: [Snort-devel] significant changes from build 87 to build 88?

From: Erickson Brent W KPWA <erickson(at)kpt.nuwc.navy.mil>
Date: Sat Aug 02 2003 - 02:07:37 EDT


Hello all,

First of all I apologize for the Outlook e-mail even though I am sending in plain text. I know it probably still looks like junk.

We have seen this same problem from Snort 2.0 release up to and including Snort 2.02 beta build 89. We have converted two of our Snort systems back to flag rules and disabled the stream 4 plug in for port reassembly.

Like Phil, we are verifying the problem against another Snort system that is capturing everything in binary dump mode.

Basically the alert goes off, the data content is correct but the IP addresses and ports are incorrect and belong to a different tcp session.

I tried to capture some binary data on several occasions to send to the Snort developers but the files have been too large.

I personally greatly appreciate this wonderful Snort community and will continue to try and provide a binary capture.

Best wishes,

Do you need help?X

Brent Erickson

-----Original Message-----
From: Phil Wood [mailto:cpw@lanl.gov]
Sent: Friday, August 01, 2003 10:25 PM
To: snort-devel@lists.sourceforge.net
Cc: cpw@lanl.gov
Subject: [Snort-devel] significant changes from build 87 to build 88?

Folks,

Unfortunately, I'm running build 87 of snort at a time when it is more or less critical to get some alerts right. The good news is that I have a pcap file from a separate system of the entire traffic in a 5 minute period generated by tcpdump. The bad news is that I have a pcap file with a log entry in pcap format of an alert generated by snort for the same 5 minute period that has incorrect IP addresses and tcp Ports.

The data alerted on is found in an smtp session. The pcap file which cannot be wrong indicates that the session was:

  18.7.21.83(63446) => 128.165.0.8(25)

and is around 36,000 bytes (to and from)

Snort on the other hand alerted on the data found in the above session, but proclaims:

Do you need more help?X

  128.165.4.101(53879) => 216.40.242.210(25)

did the deed. This session is around 7,813,616 bytes to and from in the pcap file and does not contain the content strings I was interested in.

Are you aware of this problem? Is it fixed in build 88? I have not tried to run snort on the pcap file, since my brain is going and everything that goes into running the snort is automated. It will take sometime to try and generate these alerts by hand from the pcap files. Just hoping for a short cut to the solution (like upgrade).

Thanks,

Phil


This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel

This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa00100003ave/direct;at.aspnet_072303_01/01

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Sat Aug 2 02:11:41 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:08:06 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library