[Snort-devel] HTTP 100 messages seem to throw stream4

Dan O'Keefe dan.okeefe at ...1522...
Mon Jun 30 05:04:08 EDT 2003


I have spent some time testing the stream4 reassembly as I cannot seem to get it to work in my environment. It meshes unrelated http packets together and dumps a stateful message on the wrong trigger so that the dumped, re-assembled message is meaningless. I have reached the conclusion that it seems the stream4 routine does not handle HTTP 100 Continue messages. These messages seem to be the break points that cause the mashed streams and early triggers. They contain no data and only maintain the ACK and SEQ numbers of the prior and upcoming packets. Unfortunately, I do not know the source code well enough to try and figure out how to fix this. Could someone run a test and confirm my hypothesis - and/or attempt a fix.

Thanks and regards,
Dan O'Keefe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20030630/73507c7e/attachment.html>


More information about the Snort-devel mailing list