[Snort-devel] 1.9.0, signature ID 1

Steven P. Donegan donegan at ...1695...
Mon Nov 25 07:45:11 EST 2002


p->packet_flags seems to show:

148
144
128
144
128
132

and that is with lots of bogus sig_id's 1, 5, 9, 12,

something very weird is going on here...
----- Original Message -----
From: "Chris Green" <cmg at ...835...>
To: "Steven P. Donegan" <donegan at ...1695...>
Cc: <snort-devel at lists.sourceforge.net>
Sent: Monday, November 25, 2002 7:34 AM
Subject: Re: [Snort-devel] 1.9.0, signature ID 1


> "Steven P. Donegan" <donegan at ...1695...> writes:
>
> > I have observed a bogus signature ID 1 event, from my spo_ plugin - this
> > occurs during a nessus scan. The event and p structures are non-null
during
> > the plugin callback.
>
> what does p->packet_flags show?
>
> > The data in those structures appears to be from earlier callbacks -
> > i.e. some of it appears valid, some not. Has anyone seen anything
> > like this? At present I'm just dropping any ID == 1, but would
> > prefer to find the root cause :-)
>
> --
> Chris Green <cmg at ...402...>
> This is my signature. There are many like it but this one is mine.
>
>





More information about the Snort-devel mailing list