[Snort-devel] continuing problems with RC2 and tagged packets

Russell Fulton r.fulton at ...1343...
Thu Jan 13 12:34:01 EST 2005


Hi Folks,
	 I have done more checking and followed up various suggestions as to
what might be going on here.

Brief recap:

I am seeing lots (~1700 in 24 hours) of tagged packets since I installed
RC2.  Almost all of these packets are linked to sessions which
supposedly triggered BS rule "BLEEDING-EDGE Malware Fun Web Products
Agent Traffic" sid: 2001034

It has been suggested (sorry I've forgotten by who, lost the email and
can't be bothered scouring the archive) that these are the result of
stream reassembling but none of the packets tagged *or* the alert packet
meet the trigger criteria for the rule.

Some of the packets *do* contain content that should trigger other rules
(I found several with references to Hotbar) so it looks like this could
be a case of the wrong rule being triggered.  Others appear completely
innocuous.

I have checked the sids in the sid-msg.map files and everything else I
can think of...

Any other suggestions how to get a grip on this?

Russell.





More information about the Snort-devel mailing list