[Snort-devel] HTTP 100 messages seem to throw stream4
gianni at ...1804...
Thu Jul 3 07:14:09 EDT 2003
On Sat, 2003-06-28 at 04:07, Dan O'Keefe wrote:
> I have spent some time testing the stream4 reassembly as I cannot seem
> to get it to work in my environment. It meshes unrelated http packets
> together and dumps a stateful message on the wrong trigger so that the
> dumped, re-assembled message is meaningless. I have reached the
> conclusion that it seems the stream4 routine does not handle HTTP 100
> Continue messages. These messages seem to be the break points that
> cause the mashed streams and early triggers. They contain no data and
> only maintain the ACK and SEQ numbers of the prior and upcoming
> packets. Unfortunately, I do not know the source code well enough to
> try and figure out how to fix this. Could someone run a test and
> confirm my hypothesis - and/or attempt a fix.
Could you post a tcpdump file with such traffic please?
// Gianni Tedesco (gianni at scaramanga dot co dot uk)
lynx --source www.scaramanga.co.uk/gianni-at-ecsc.asc | gpg --import
8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 189 bytes
Desc: This is a digitally signed message part
More information about the Snort-devel