[Snort-sigs] Problem with pop3.rules and ftp.rules

Russell Fulton r.fulton at ...575...
Tue Feb 11 11:10:05 EST 2003

On Wed, 2003-02-12 at 04:28, Kenneth G. Arnold wrote:
> I updated my rules yesterday and I am getting similar results from pop3
> and ftp rules.  I have had to disable just about all of the rules because
> they were firing on what certainly appeared to be legitimate traffic.

There is a bug in the 1.9.0 stream4 preprocessor which sometimes drops
the last character of the packet. In these cases it drops the '0a'
causing the rule to fire.  If you are logging packets you can check this
by looking at the dumps.

Has this bug been fixed in the 1.9.0 CVS?  I had been waiting until
there was a new release of 1.9 to upgrade but it has now been months
since I reported this. 

Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin

More information about the Snort-sigs mailing list