[Snort-devel] Snort 2.0 build13 problem

Chris Green cmg at ...835...
Mon Oct 28 14:11:05 EST 2002


"Lawrence Reed" <Lawrence.Reed at ...1489...> writes:

> I am running snort 2.0 build13 on RH 7.3 linux. I am logging to unified
> file then using BY rc3 to send the alert to the mysql db. This setup is
> working great with one expection.
>
> It looks like the httpflow pre-processor is corrupting packets.  Here is
> a packet paylod from ACID.  Notice the server response begining at
> offset 1b8.  The amount of server response data included is exaclty the
> httpflow depth setting  ( 150 ).
>
> I have included the rule that triggered this alert below for reference.
> I have Also included the snort output to show the configuration.
>
> I am going to run without httpflow to see if that helps.

Thanks Lawrence,

I think this is an unexpected interaction between stream4 & httpflow.

Try moving the httpflow preprocessor behind frag2 and stream4 in your
snort.conf.  If that is already the case, please attach your snort.conf
-- 
Chris Green <cmg at ...402...>
This is my signature. There are many like it but this one is mine.




More information about the Snort-devel mailing list