OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [snort] Spurious ALERT msgs in syslog
From: Erich Meier (Erich.Meierinformatik.uni-erlangen.de)
Date: Tue Mar 07 2000 - 10:06:36 CST

On Mon, Mar 06, 2000 at 05:01:39PM -0500, Martin Roesch wrote:
> Erich Meier wrote:
> >
> > Feb 9 14:02:00 <SNORTHOST> snort[15126]: ALERT: W.X.Y.Z:1624 -> A.B.C.D:80
> >
> > This bug seems to be triggered by "session" keyword. When using rules like
> > log tcp any any <> $INTERNAL 23 (session: all;)
> > the packets are logged by the output plugins and reported as alerts like shown
> > above. No session file is created, though.
> >
> > It seems, that the syslog_alert output plugin and the log.c standard mechanism
> > do not work together very well.
> >
> > Can anyone confirm this?
>
> This is caused by the complete suckage that is the output plugin system
> in 1.6-beta10.2. I've completely rewritten it and it'll work much
> better now. Stay tuned for the beta 11 announcement coming later
> today....

Okay, session dumps now work when the tcpdump output plugin is not enabled.
But when it is enabled, sessions are not dumped.

I think, that something like

   if(otn_tmp != NULL && otn_tmp->session_flag)
   {
      OpenSessionFile(p);
      DumpSessionData(session, p);
      fclose(session);
   }

together with the appropriate otn_tmp and session definitions in LogTcpdump()
would do the trick.

Looking a bit closer at the code makes me think, that this session dumping
stuff works only for one session at a time.

Right?

Erich 

-- 
Erich Meier                              Erich.Meierinformatik.uni-erlangen.de
                                 http://www4.informatik.uni-erlangen.de/~meier/