[Snort-devel] Snort 2.0 build13 problem
cmg at ...835...
Mon Oct 28 14:11:05 EST 2002
"Lawrence Reed" <Lawrence.Reed at ...1489...> writes:
> I am running snort 2.0 build13 on RH 7.3 linux. I am logging to unified
> file then using BY rc3 to send the alert to the mysql db. This setup is
> working great with one expection.
> It looks like the httpflow pre-processor is corrupting packets. Here is
> a packet paylod from ACID. Notice the server response begining at
> offset 1b8. The amount of server response data included is exaclty the
> httpflow depth setting ( 150 ).
> I have included the rule that triggered this alert below for reference.
> I have Also included the snort output to show the configuration.
> I am going to run without httpflow to see if that helps.
I think this is an unexpected interaction between stream4 & httpflow.
Try moving the httpflow preprocessor behind frag2 and stream4 in your
snort.conf. If that is already the case, please attach your snort.conf
Chris Green <cmg at ...402...>
This is my signature. There are many like it but this one is mine.
More information about the Snort-devel