[Snort-devel] Session mixup by stream4

Alex Butcher, ISC/ISYS Alex.Butcher at ...2437...
Fri Feb 11 04:23:10 EST 2005

Hi -

--On 08 February 2005 16:32 +0530 Sonali Gupta <sonali.gupta at ...2499...> 

> I have posted this query in the snort users mailing list also.
> I came across this post in the neohapsis archives, which discusses an
> issue similar to what I seem to be facing.
> It is at:
> http://archives.neohapsis.com/archives/snort/2003-01/0858.html
> http://archives.neohapsis.com/archives/snort/2003-01/0872.html
> The discussion talks about a session payload mixup in data captured by
> snort. I am also facing this issue in some sessions that I get from
> snort. I am using snort 2.0 and snort 2.3 ORC2, and found the issue in
> both versions.

I sometimes find alerts in my database that appear to be from mixed-up 
packets. The giveaway is that both the IP and TCP checksums are incorrect 
(ethereal reports that they are both 0x0000).

I'm using Snort 2.3.0 release + FLoP.

I'd send captures, but I've not found any pattern in what makes it happen. 

Best Regards,
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing             GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9

More information about the Snort-devel mailing list