[Snort-devel] Session mixup by stream4

Jay Beale jay at ...2665...
Fri Feb 11 05:05:43 EST 2005

Alex Butcher, ISC/ISYS wrote:
> Hi -
> --On 08 February 2005 16:32 +0530 Sonali Gupta <sonali.gupta at ...2499...> 
> wrote:
>> I have posted this query in the snort users mailing list also.
>> I came across this post in the neohapsis archives, which discusses an
>> issue similar to what I seem to be facing.
>> It is at:
>> http://archives.neohapsis.com/archives/snort/2003-01/0858.html
>> http://archives.neohapsis.com/archives/snort/2003-01/0872.html
>> The discussion talks about a session payload mixup in data captured by
>> snort. I am also facing this issue in some sessions that I get from
>> snort. I am using snort 2.0 and snort 2.3 ORC2, and found the issue in
>> both versions.
> I sometimes find alerts in my database that appear to be from mixed-up 
> packets. The giveaway is that both the IP and TCP checksums are 
> incorrect (ethereal reports that they are both 0x0000).
> I'm using Snort 2.3.0 release + FLoP.
> I'd send captures, but I've not found any pattern in what makes it 
> happen. :-/

Before you get into a bug report, couldn't this just be flushed 
uber-packets from stream4? When stream4's BuildPacket() creates an uber 
packet out of a complete or partial stream, it doesn't compute IP or xDP 
checksums, since these would be meaningless.

  - Jay

More information about the Snort-devel mailing list