[Snort-devel] 1.9.0, signature ID 1

Chris Green cmg at ...835...
Mon Nov 25 08:20:05 EST 2002


"Steven P. Donegan" <donegan at ...1695...> writes:

> p->packet_flags seems to show:
>
> 148
> 144
> 128
> 144
> 128
> 132
>
> and that is with lots of bogus sig_id's 1, 5, 9, 12,

What sig_gen?

128 means that the packet is from a client side of the connection.
Can you show a backtrace of something that you're trying to inspect?

Most likely it's either a rebuilt frag or rebuilt stream.  It is
possible for a packet that has been alerted on once to generate
further events.  It's probably worth calling DisableDetect() on things
as soon as they generate an alert so that we don't process this packet
further....
-- 
Chris Green <cmg at ...402...>
To err is human, to moo bovine.




More information about the Snort-devel mailing list