[Snort-devel] tcpdump for false alert on sid:1845

Brian bmc at ...835...
Thu Oct 31 08:53:08 EST 2002


On Thu, Oct 31, 2002 at 04:49:20PM +1300, Russell Fulton wrote:
> Hi All,
> 	I am running the production release of 1.9.0 and all seems to be well
> except that I am getting a lot of false hits on rules 1845 and 1844. 
> This did not happen on the beta 6 release that I was running before.
> 
> I have managed to get a tcpdump file with a single IMAP session that
> illustrates the problem (attached).

I tried your pcap and was unable to get snort to false alarm.

I tried it against against 1.9.0, stable, or current.  Can you send your
snort.conf?

-brian




More information about the Snort-devel mailing list