[Snort-devel] Stream4 woes ??

Russell Fulton r.fulton at ...1343...
Tue Mar 11 11:47:13 EST 2003


On Wed, 2003-03-12 at 02:25, Chris Green wrote:
> Russell Fulton <r.fulton at ...1343...> writes:
> 
> > Hi All,
> > 	I posted a note about this a week or so back by did not get any 
> > response so here it goes again.
> 
> Last week was a wash. I have been trying to queue up issues as I can
> look at them.

I know what it's like!  that's why I simply repost if I think its
important.

> 
> > Since I upgraded to 1.9.1 I have been getting alerts from various overflow
> > rules but the contents of the logged packets don't seem to make any sense,
> > they seem to contain random bits from other protocols (mainly http, surprise) 
> 
> If you can, please try out CVS 2.0 HEAD to see if the problem exists
> there as well. 

OK, I'll also try the patch you mentioned.
> 
> How often are you getting these alerts?
> 
one or two an hour. 

> Here's pretty much the standard way someone can send me a pcap.
> 
> If very often, please run a parallel tcpdump to log your network
> traffic, and save it off.
> 
> Then, run snort in readback mode (-r) and see if you can create a
> capture file to reproduce the bug.
> 

I'll try this as a last resort, the files are likely to be large.  

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin





More information about the Snort-devel mailing list