[Snort-users] Session mixup by stream4

permalink · #1 (**permalink**) 02-07-2005

--=_MAILER_ATTACH_BOUNDARY1_2005271175444608413784
Content-Type: text/plain; charset=us-ascii

Hi

I came across this post in the neohapsis archives, which discusses an issue similar to what I seem to be facing.

It is at:

http://archives.neohapsis.com/archiv...3-01/0858.html

http://archives.neohapsis.com/archiv...3-01/0872.html

The discussion talks about a session payload mixup in data captured by snort. I am also facing this issue in some sessions that I get from snort. I am using snort 2.0 and snort 2.3 ORC2, and found the issue in both versions. Chris mentioned in the post that the issue has been fixed in HEAD CVS. The discussion was about version 1.9.0. Since I am using a newer version of snort, could you please tell me if the same fix has been applied to the newer versions, or is there some update I need to get to fix it.
In order to figure out the session mix up issue, I did the following
a) Ran two snorts simultaneously Snort-A and Snort-B. The Snort-A captures the traffic and dumps it in a tcpdump format, using the b option and Snort-B creates the sessions real time.
b) Then I ran Snort-C (same executable as of Snort-B), which created session from the tcpdump produced by Snort-A. I found that the sessions created by Snort-C for the problematic ones were not identical to the sessions created by Snort-B and I also noticed that the sessions created by Snort-C has lesser number of session mixups.
I also noted that some sessions created by Snort-B, which appeared incomplete (data from last one or two packets were missing) were fully formed when created by Snort-C.
Is there any difference between the session reassemble real time and session reassemble using r option.
During the test, we had tweaked Snort-B a bit so that it dumps all the sessions that are reassembled. We did this by hard coding gotevent = 1 and commenting the call to the preprocessor function in FlushStream function of ssp_stream4.c.
// gotevent = Preprocess(stream_pkt); //Commented
gotevent = 1;

Regards
Sonali Gupta

--=_MAILER_ATTACH_BOUNDARY1_2005271175444608413784
Content-Type: text/html; charset=us-ascii

<DIV class=Section1>
Hi 
I came across this post in the neohapsis archives, which discusses an issue similar to what I seem to be facing. 
It is at: 
<A title=http://archives.neohapsis.com/archives/snort/2003-01/0858.html href="http://archives.neohapsis.com/archives/snort/2003-01/0858.html">http://archives.neohapsis.com/archives/snort/2003-01/0858.html</A> 
<A title=http://archives.neohapsis.com/archives/snort/2003-01/0872.html href="http://archives.neohapsis.com/archives/snort/2003-01/0872.html">http://archives.neohapsis.com/archives/snort/2003-01/0872.html</A> 
The discussion talks about a session payload mixup in data captured by snort. I am also facing this issue in some sessions that I get from snort. I am using snort 2.0 and snort 2.3 ORC2, and found the issue in both versions. Chris mentioned in the post that the issue has been fixed in HEAD CVS. The discussion was about version 1.9.0. Since I am using a newer version of snort, could you please tell me if the same fix has been applied to the newer versions, or is there some update I need to get to fix it. 
In order to figure out the session mix up issue, I did the following
a)       Ran two snorts simultaneously Snort-A and Snort-B. The Snort-A captures the traffic and dumps it in a tcpdump format, using the b option and Snort-B creates the sessions real time.
b)       Then I ran Snort-C (same executable as of Snort-B), which created session from the tcpdump produced by Snort-A. I found that the sessions created by Snort-C for the problematic ones were not identical to the sessions created by Snort-B and I also noticed that the sessions created by Snort-C has lesser number of session mixups. 
I also noted that some sessions created by Snort-B, which appeared incomplete (data from last one or two packets were missing) were fully formed when created by Snort-C. 
Is there any difference between the session reassemble real time and session reassemble using r option. 
During the test, we had tweaked Snort-B a bit so that it dumps all the sessions that are reassembled. We did this by hard coding gotevent = 1 and commenting the call to the preprocessor function in FlushStream function of ssp_stream4.c.</DIV>
//        gotevent = Preprocess(stream_pkt);  //Commented
       & nbsp;  gotevent = 1;        
<DIV class=Section1>
 
Regards 
Sonali Gupta</DIV> <hr> <DIV align=left><a target="_blank" href="http://www.samsungindia.com/shabd" ><IMG alt="Advertisement" border=0 src="http://203.199.93.12/image/samsung.gif"></a></DIV>

--=_MAILER_ATTACH_BOUNDARY1_2005271175444608413784--

-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl
_______________________________________________
Snort-users mailing list
Snort-users@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/...fo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.p...st=snort-users

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode