[Snort-devel] odd problems with 2.3rc2

Russell Fulton r.fulton at ...1343...
Mon Jan 10 13:17:29 EST 2005


On Mon, 2005-01-10 at 17:19 +0100, Dirk Geschke wrote:

> > 
> > I've just installed RC2 and I have observed a couple of problems:
> >      1. a few rules are triggering when there does not appear to be any
> >         reason.  One rule is triggering often, for no apparent reason:
> 
> maybe you are using the unified output plugin?

I am.
>  In this case it
> is possible that the rules fires on a stream4 rebuild packet.
> This packet is stored in the original parts and only the first
> one gets the signature message. All further packets are "Tagged
> Packet"s and are stored in the log facility.

That explains part of the problem (the tagged packets) but not why the
rules are triggering in the first place.

Thanks, Russell





More information about the Snort-devel mailing list