[Snort-devel] New entry in Signature table for tagged packets

Frank Knobbe frank at ...2134...
Thu Nov 25 14:01:13 EST 2004


Greetings,

it looks like Snort creates a new entry for "Tagged Packet" in the
signature table on every tagged packet. It enters the same name, class,
priority, rev and sid each time.

I can't see any reason for this so I assume it's a bug. My guess is that
it is caused by the section in spo_database that checks if the sid is
>0. I'm unsure how to fix that though. I would recommend to enclose that
whole block in a branch that first checks if it is a valid sig or tagged
packet and then handles tagged packets like an existing sig.... in
essence using the existing sig_id in the db instead of creating a new
one.

Any thoughts?

Happy Thanksgiving!
Frank  (time-to-turkey: <2 hrs)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: This is a digitally signed message part
URL: <https://lists.snort.org/pipermail/snort-devel/attachments/20041125/3e2683a9/attachment.sig>


More information about the Snort-devel mailing list