[Snort-devel] odd problems with 2.3rc2

Dirk Geschke dirk at ...972...
Mon Jan 10 08:20:30 EST 2005

Hi Russel,

> 	I originally sent this to the snort-users list and then posted a
> followup asking people to ignore it since I thought that the problem was
> caused by corruption in the database.  I have now eliminated that and
> have verified that snort really is generating these alerts.
> [russell at ...1358... snort]$ snort -V
>    ,,_     -*> Snort! <*-
>   o"  )~   Version 2.3.0RC2 (Build 9)
>    ''''    By Martin Roesch & The Snort Team:
> http://www.snort.org/team.html
>            (C) Copyright 1998-2004 Sourcefire Inc, et al.
> Gotta luv that pig!!  :)
> I've just installed RC2 and I have observed a couple of problems:
>      1. a few rules are triggering when there does not appear to be any
>         reason.  One rule is triggering often, for no apparent reason:

maybe you are using the unified output plugin? In this case it
is possible that the rules fires on a stream4 rebuild packet.
This packet is stored in the original parts and only the first
one gets the signature message. All further packets are "Tagged
Packet"s and are stored in the log facility.

Could this explain your phenomenon?

Best regards


More information about the Snort-devel mailing list