[Snort-devel] Header mixup Bug in Snort 2.0?

Tony Lill ajlill at ...267...
Mon Jun 23 06:32:08 EDT 2003


Worse than that, it will also stitch together packets from different
TCP streams, and then alert on them. Check the dumps on all your
'Gnutella GET' errors. I get lots with say, a couple of web requests
and part of a mail message all supposedly from the same
conversation. 
--
Tony Lill,                         Tony.Lill at ...551...
President, A. J. Lill Consultants        fax/data (519) 650 3571
539 Grand Valley Dr., Cambridge, Ont. N3H 2S2     (519) 241 2461
--------------- http://www.ajlc.waterloo.on.ca/ ----------------
"Welcome to All Things UNIX, where if it's not UNIX, it's CRAP!"

>>>>> "Erik" == Erik Norman <erik.norman at ...2028...> writes:


    Erik> Hi all,

    Erik> I've run across some faulty reporting, where a certain packet correctly
    Erik> generates an alarm, but where the header information (IP, ports etc) are
    Erik> from another packet! It's a Bad Thing. Since i'm also have a complete
    Erik> tcpdump log of everything, i feel rather sure what i'm talking about.




More information about the Snort-devel mailing list