[Snort-devel] Stream4 woes ??
r.fulton at ...1343...
Tue Mar 11 11:47:13 EST 2003
On Wed, 2003-03-12 at 02:25, Chris Green wrote:
> Russell Fulton <r.fulton at ...1343...> writes:
> > Hi All,
> > I posted a note about this a week or so back by did not get any
> > response so here it goes again.
> Last week was a wash. I have been trying to queue up issues as I can
> look at them.
I know what it's like! that's why I simply repost if I think its
> > Since I upgraded to 1.9.1 I have been getting alerts from various overflow
> > rules but the contents of the logged packets don't seem to make any sense,
> > they seem to contain random bits from other protocols (mainly http, surprise)
> If you can, please try out CVS 2.0 HEAD to see if the problem exists
> there as well.
OK, I'll also try the patch you mentioned.
> How often are you getting these alerts?
one or two an hour.
> Here's pretty much the standard way someone can send me a pcap.
> If very often, please run a parallel tcpdump to log your network
> traffic, and save it off.
> Then, run snort in readback mode (-r) and see if you can create a
> capture file to reproduce the bug.
I'll try this as a last resort, the files are likely to be large.
Russell Fulton, Computer and Network Security Officer
The University of Auckland, New Zealand
"It aint necessarily so" - Gershwin
More information about the Snort-devel