[Snort-devel] Session mixup by stream4
Alex Butcher, ISC/ISYS
Alex.Butcher at ...2437...
Fri Feb 11 04:23:10 EST 2005
--On 08 February 2005 16:32 +0530 Sonali Gupta <sonali.gupta at ...2499...>
> I have posted this query in the snort users mailing list also.
> I came across this post in the neohapsis archives, which discusses an
> issue similar to what I seem to be facing.
> It is at:
> The discussion talks about a session payload mixup in data captured by
> snort. I am also facing this issue in some sessions that I get from
> snort. I am using snort 2.0 and snort 2.3 ORC2, and found the issue in
> both versions.
I sometimes find alerts in my database that appear to be from mixed-up
packets. The giveaway is that both the IP and TCP checksums are incorrect
(ethereal reports that they are both 0x0000).
I'm using Snort 2.3.0 release + FLoP.
I'd send captures, but I've not found any pattern in what makes it happen.
Alex Butcher: Security & Integrity, Personal Computer Systems Group
Information Systems and Computing GPG Key ID: F9B27DC9
GPG Fingerprint: D62A DD83 A0B8 D174 49C4 2849 832D 6C72 F9B2 7DC9
More information about the Snort-devel