[Snort-devel] Session mixup by stream4
jay at ...2665...
Fri Feb 11 05:05:43 EST 2005
Alex Butcher, ISC/ISYS wrote:
> Hi -
> --On 08 February 2005 16:32 +0530 Sonali Gupta <sonali.gupta at ...2499...>
>> I have posted this query in the snort users mailing list also.
>> I came across this post in the neohapsis archives, which discusses an
>> issue similar to what I seem to be facing.
>> It is at:
>> The discussion talks about a session payload mixup in data captured by
>> snort. I am also facing this issue in some sessions that I get from
>> snort. I am using snort 2.0 and snort 2.3 ORC2, and found the issue in
>> both versions.
> I sometimes find alerts in my database that appear to be from mixed-up
> packets. The giveaway is that both the IP and TCP checksums are
> incorrect (ethereal reports that they are both 0x0000).
> I'm using Snort 2.3.0 release + FLoP.
> I'd send captures, but I've not found any pattern in what makes it
> happen. :-/
Before you get into a bug report, couldn't this just be flushed
uber-packets from stream4? When stream4's BuildPacket() creates an uber
packet out of a complete or partial stream, it doesn't compute IP or xDP
checksums, since these would be meaningless.
More information about the Snort-devel