[Snort-devel] problem in packet content captured by snort

From: kanika malhotra <kmalhotr(at)usc.edu>
Date: Mon Apr 26 2004 - 00:15:22 EDT

Hello,

We have written a detection plugin for the worm detection. But there has been something wierd happening recently. I have multiple machines on my LAN, all of which are sending traffic to the gateway of the LAN. My snort code resides on the gateway.  

The content of my worm packets is similar across packets but when I display them via p->data in my plugin, I see more content than the original packet sent from my machines.

For e.g. I am sending packet sizes of 100 bytes (hardcoded) but when I display p->data in my snort plugin, I see content which is > 100 bytes. I displayed p->dsize, which shows 100, but when I check the sieof p->data it is > 100. I dont know why this is happening, but this is creating problems for me when I try to look at the content of my packets for my plugin. The garbage data looks like left over data from other packets received by Snort, thus am wondering do I need to flush out the contents of p->data or what is the error here?

I have \0 the buffer that I send from the machines, and have also displayed the packet sent and received on my sources and destinations. They look the same to me (as sent) but for some reason Snort seems to be seeing more data than sent.

Does any one have any clue why this is happening?

Thanks in advance,

Kanika

---

This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg=12297

---

Snort-devel mailing list
Snort-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-devel Received on Mon Apr 26 00:19:07 2004