On Thu, 2002-01-10 at 06:21, Eric Landuyt wrote: > Hello Brennan, > > BB> I do not like seeing strings like "arpspoof", "frag/defrag", > BB> "stream_reassemble", "portscan", "rpc_decode", and "telnet_decode" in Large > BB> ICMP Packets. > > BB> Is this a Loki style covert communication channel, or just normal traffic? > > Fortunately, I think that this is not the case here. > If I remember some preceding browsing in Snort's source code ;), > most of the strings we found at the END OF THE DUMP (not the end of the > packet... I'll explain further) are identifiers/function > names/params/... from Snort's itself. > For example, we can find "stream4_reassemble" (relative to stream > reassembling engine), or "spade-homenet" (relative to Spade - > Statistical Packet Anomaly Detection Engine, a Snort preprocessor > plugin). > There are bugs in the stream4 reassembling whereby snort gets the lengths wrong and this causes 'garbage' to be appended to the packets before they go through the packet matching engine and logging. Marty made some changes yesterday which are in the latest 1.8.3 branch of the CVS. I have not yet tried out this version as I can not figure out how to get the 1.8.3 branch from the CVS. -- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jan 09 2002 - 14:51:18 PST