[Snort-devel] odd problems with 2.3rc2

Dirk Geschke Dirk_Geschke at ...802...
Tue Jan 11 00:13:11 EST 2005

Hi Russel,

> >  In this case it
> > is possible that the rules fires on a stream4 rebuild packet.
> > This packet is stored in the original parts and only the first
> > one gets the signature message. All further packets are "Tagged
> > Packet"s and are stored in the log facility.
> That explains part of the problem (the tagged packets) but not why the
> rules are triggering in the first place.

I think it does: The rule matches on the rebuild complete packet. So
you can't say which of the individual packets raised the alert. It is
also possible that parts of the signatures are spread over several

The solution of the unified output plugin is to store the first 
individual packet with the matching signature although the content
may be part of one of the other "Tagged Packets". All other packets
are simply marked as "Tagged Packets". I think to find the matching
content you have to rebuild the reassembled packet again. Then you
will find the parts matching the rule.

I guess it would be a better solution to mark the first packet that
this is part of a session. But then you have to adjust programs like
ACID/BASE to take care of such a flag. Otherwise you will be fooled
by the alerts...

Best regards


> -------------------------------------------------------
> The SF.Net email is sponsored by: Beat the post-holiday blues
> Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
> It's fun and FREE -- well, almost....http://www.thinkgeek.com/sfshirt
> _______________________________________________
> Snort-devel mailing list
> Snort-devel at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-devel

| Dr. Dirk Geschke            | E-mail: geschke at ...802...      |
| Gesellschaft fuer Netzwerk  | Tel.  : +49-(0)-89-991950-131 |
| und Unix Administration mbH | Fax   : +49-(0)-89-991950-999 |
| 85551 Kirchheim / Germany   | Domagkstrasse 7               |

More information about the Snort-devel mailing list