[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[firestorm054] pb with 'bad traffic syn to multicast address' on fbsd48 (not on linux)

Hi All,

I tested new release 054 of firestorm,

and I have a pb.

Join tcpdump file. (I not use tcpreplay here)

I have no pb with linux,

but I have pb with fbsd 4.8.

I have installed fbsd4.8release,

compiled/installed firestorm054, (same pb with 053 and 053pre3)

NO modified firestorm source.

modified firestorm.conf :
#capture pcap if='any'
capture tcpdump
file='/var/tmp/firestorm-badtrafficsyntomulticastaddress.tcpdump'

and look firestorm event : (via firecat ascii)
test# /usr/bin/firecat -f ascii /var/tmp/log/@3ef483d1.00030849.elog
  packet: 2003-06-21 18:12:01.440723 len=62 caplen=62
   alert: [sig.tcp] BAD TRAFFIC syn to multicast address (sid=1431.4
prio=2)
ethernet: 00:00:00:00:00:00 > 02:00:00:00:00:00 proto=0x0800
      ip: 217.128.40.199 > 24.78.142.0 ttl=64 proto=6 len=48
     tcp: 4662 > 3889 [*S**A***] seq=0xbc9b4ed5 ack=0x129410f3 win=5840
00000 : ..............E. 02 00 00 00 00 00 00 00 00 00 00 00 08 00 45 00

00010 : .0..@.@..2..(..N 00 30 00 00 40 00 40 06 92 32 D9 80 28 C7 18 4E

00020 : ...6.1..N.....p. 8E 00 12 36 0F 31 BC 9B 4E D5 12 94 10 F3 70 12

00030 : ..sJ..........   16 D0 73 4A 00 00 02 04 05 B4 01 01 04 02

and look firestorm-nids log :
test# firestorm-nids
1064459674.065583 info: Firestorm v0.5.4
1064459674.065656 info: Copyright (c) 2002,2003 Gianni Tedesco
1064459674.065666 info: This program is released under the terms of the
GNU GPL version 2 (see: COPYING)
1064459674.068751 info: plugin: capture.fagrouter[0.1]: TCP stream test
rig
1064459674.068924 info: plugin: capture.tcpdump[2.0]: Reads packets in
from tcpdump files
1064459674.069468 info: plugin: capture.pcapfile[1.0]: Offline libpcap
capture
1064459674.069662 info: plugin: capture.pcap[1.0]: Live libpcap capture
1064459674.069909 info: plugin: decode.ether[2.1]: Ethernet II, 802.3,
LLC and SNAP
1064459674.070223 info: plugin: decode.tcpip[2.0]: The Internet Protocol

1064459674.070367 info: plugin: decode.irda[0.1]: IRDA (Infra-Red)
1064459674.070509 info: plugin: decode.vlan[1.0]: 802.1q aka vlan
1064459674.070641 info: plugin: decode.igmp[2.0]: Internet Group
Messaging Protocol
1064459674.070797 info: plugin: decode.http[0.1]: Hyper-text Transfer
Protocol
1064459674.070940 info: plugin: decode.smtp[0.1]: Simple Mail Transfer
Protocol
1064459674.071094 info: plugin: decode.arp[2.0]: ARP/RARP
1064459674.071238 info: plugin: decode.gre[2.0]: Generic Routing
Encapsulation
1064459674.071400 info: plugin: decode.sll[1.0]: Linux SLL
1064459674.071590 info: plugin: decode.ipx[1.1]: Internetwork Packet
eXchange
1064459674.071748 info: plugin: decode.sap[0.2]: Service Advertising
Protocol
1064459674.072090 info: plugin: parser.snort[2.0]: Snort ruleset files
1064459674.072264 info: plugin: preproc.spoon[0.1]: S.P.O.O.N. Anomaly
Detection
1064459674.072425 info: plugin: match.icmp[2.0]: ICMP matching routines
1064459674.072575 info: plugin: match.http[0.1]: HTTP matching routines
1064459674.072726 info: plugin: match.dns[0.1]: DNS matching routines
1064459674.072874 info: plugin: match.udp[2.0]: UDP matching routines
1064459674.073038 info: plugin: match.rpc[2.0]: RPC matching routines
1064459674.073190 info: plugin: match.std[2.0]: Generic matching
routines
1064459674.073378 info: plugin: match.str[2.0]: String matching routines

1064459674.073559 info: plugin: match.tcp[2.0]: TCP matching routines
1064459674.073728 info: plugin: match.ipx[1.1]: IPX matching routines
1064459674.073942 info: plugin: match.ip[2.0]: IP matching routines
1064459674.074411 info: tcpdump:
/var/tmp/firestorm-badtrafficsyntomulticastaddress.tcpdump: standard:
snaplen=1514
1064459674.074486 info: alert: /var/tmp/log/: max log size: 1024KB
1064459674.074498 info: alert: /var/tmp/log/: max log age: 1 hrs 0 mins
1064459674.074509 info: alert: /var/tmp/log/: buffered output: 16KB
buffer
1064459674.074526 info: ipfrag: mem_hi=1048576 mem_lo=786432 minttl=0
timeout=30s
1064459674.096305 info: tcpstream: 32768 streams in 513 buckets (4736
KB)
1064459674.096350 info: tcpstream: TCP stream reassembly is ENABLED:
16384 flows
1064459674.191761 info: signature: 1663 signatures loaded
1064459674.250801 info: capture:
tcpdump[file='/var/tmp/firestorm-badtrafficsyntomulticastaddress.tcpdump']:
started
1064459674.251383 info: capture:
tcpdump[file='/var/tmp/firestorm-badtrafficsyntomulticastaddress.tcpdump']:
stopped
: 18 packets
1064459674.251648 debug: ELAPSED CPU: 0.000151
1064459674.251743 info: exit: Firestorm exiting normally
1064459674.251848 info: alert: /var/tmp/log/: flushing to disk.
1064459674.266157 debug: logrotate: /var/tmp/log/@3ef483d1.00030849.elog

1064459674.266371 info: loader: unloading all plugins
1064459674.266477 info: ipfrag: 0 reassembled packets, 0 reasm errors, 0
timeouts
1064459674.266592 info: ipfrag: 0 times out of memory, 0KB still used
1064459674.266684 info: tcpstream: max_concurrent=1 num_active=1
1064459674.266785 info: tcpstream: max_flows=0 num_flows=0
1064459674.266887 info: tcpstream: 0 state errors out of 18 packets
1064459674.266987 info: tcpstream: 0 broadcasts, 0 ttl evasions, 0
timeouts, 0 reassembled
1064459674.267130 debug: cleanup: exit with code 0


Could you help me ?

Regards.

Franck

Attachment: firestorm-badtrafficsyntomulticastaddress.tcpdump.gz
Description: GNU Zip compressed data