[Snort-users] snort 2.1.0 bugs ?
This is a discussion on [Snort-users] snort 2.1.0 bugs ? within the Snort forums, part of the System Security and Security Related category; --0-1614032011-1075255067=:66954 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Hi, Analysing snort-2....
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
01-28-2004
|
|||
|
|||
[Snort-users] snort 2.1.0 bugs ?
--0-1614032011-1075255067=:66954
Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Hi, Analysing snort-2.1.0 on Debian GNU/Linux 2.2, Facing problems with the following 1. arpspoof is not alerting properly when detected. Say there are more than one IP/MAC address in the table. It always alerts only for the last item in the list, eventhough the ARP frame is detected for that particular IP/MAC. I checked the code spp_arpsoof.c for LookupIPMAcEntry() IPMacEntry *LookupIPMacEntryByIP(IPMacEntryList *ip_mac_entry_list, u_int32_t ipv4_addr) { IPMacEntryListNode *current; if (ip_mac_entry_list == NULL) return NULL; for (current = ip_mac_entry_list->head; current != NULL; current = current->next) { if (current->ip_mac_entry->ipv4_addr == ipv4_addr) { DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, "MODNAME: LookupIPMecEntryByIP() match!");); return current->ip_mac_entry; } } return NULL; } The matching of the IP/MAC address in the table is clear, but couldnt understand why it always report for the last node in the list. As am new to snort, couldnt explore much how snort detects these packets and logs it. Even tried with the patch from http://oasis.uptsoft.com/~devnull/spp_arpspoof.c. Snort dies because it says that the arpspoof_detect_host is not recognised by it. I know that this is like dynamic creation of these preprocessors on the packets on threshold basis. But say if i manually wanted to configure a particular IP/MAC then how do i do it?. Please do give your suggestions on this. 2. The alerting mechanism for rules look different between snort-2.0.5 and snort-2.1.0. Some of the rules does not raise alerts, even though the packet matches the rule criteria. B.Regards, Koay Y! Asia presents Lavalife - Get clicking with thousands of local singles today! --0-1614032011-1075255067=:66954 Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: 8bit <DIV> <DIV>Hi,</DIV> <DIV><BR>Analysing snort-2.1.0 on Debian GNU/Linux 2.2, Facing problems with the following</DIV> <DIV> </DIV> <DIV>1. arpspoof is not alerting properly when detected.<BR>Say there are more than one IP/MAC address in the table. It always alerts only for the last item in the list, eventhough the ARP frame is detected for that particular IP/MAC.</DIV> <DIV>I checked the code spp_arpsoof.c for LookupIPMAcEntry()</DIV> <DIV>IPMacEntry *LookupIPMacEntryByIP(IPMacEntryList *ip_mac_entry_list,<BR> &nb sp; u_int32_t ipv4_addr)<BR>{<BR> IPMacEntryListNode *current;<BR> if (ip_mac_entry_list == NULL)<BR>   ; return NULL;</DIV> <DIV> for (current = ip_mac_entry_list->head; current != NULL; current = current->next)<BR> {<BR> if (current->ip_mac_entry->ipv4_addr == ipv4_addr)<BR> {<BR> &nb sp; DEBUG_WRAP(DebugMessage(DEBUG_PLUGIN, <BR> &nbs p; "MODNAME: LookupIPMecEntryByIP() match!");); </DIV> <DIV> &nb sp; return current->ip_mac_entry;<BR>   ; }<BR> }<BR> return NULL;<BR>}</DIV> <DIV>The matching of the IP/MAC address in the table is clear, but couldnt understand why it always report for the last node in the list. As am new to snort, couldnt explore much how snort detects these packets and logs it. </DIV> <DIV>Even tried with the patch from <A href="http://oasis.uptsoft.com/~devnull/spp_arpspoof.c">http://oasis.uptsoft.com/~devnull/spp_arpspoof.c</A>. Snort dies because it says that the arpspoof_detect_host is not recognised by it. I know that this is like dynamic creation of these preprocessors on the packets on threshold basis. But say if i manually wanted to configure a particular IP/MAC then how do i do it?. Please do give your suggestions on this.</DIV> <DIV> </DIV> <DIV>2. The alerting mechanism for rules look different between snort-2.0.5 and snort-2.1.0. Some of the rules does not raise alerts, even though the packet matches the rule criteria.<BR></DIV> <DIV>B.Regards,</DIV> <DIV>Koay</DIV></DIV><p><img src=http://sg.yimg.com/i/sg/icons/16/perhearts.gif> <a href="http://sg.rd.yahoo.com/mail/tagline/?http://asia.yahoo.com/lavalife" target=_blank><B>Y! Asia presents Lavalife</b></a><br><small>- Get clicking with thousands of local singles today!</small> --0-1614032011-1075255067=:66954-- ------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Snort-users mailing list Snort-users@lists.sourceforge.net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/...fo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.p...st=snort-users 
|
 |
«
Previous Thread
|
Next Thread
»
| Thread Tools | |
| Display Modes | |
Linear Mode
|
|
All times are GMT +1. The time now is 12:14 PM.
