[Snort-sigs] Problem with pop3.rules and ftp.rules

Jens Krabbenhoeft tschenz-snort-sigs at ...1099...
Fri Feb 14 06:25:10 EST 2003


Russell,

> Still looking good this morning!  I had a couple of packets that
> appeared to be truncated (no CRLF at all) but that may not be snort's
> fault.

I see the same behaviour with snort 2.0 (build 49), too. There seems to
be another problem in stream4 which produces these false postives. The
debug output I get seems show three "reassembly tries" for one session.

If the reassembled "chunks" match snort-signatures it alerts for the
chunks, e.g.:

HELO myhost         -> alert
HELO myhost.domain  -> alert

... the fully reassembled stream:

HELO myhost.domain.tld|0d0a| -> alert

I'll try to get a pcap-file of one of these false alert to mail it to
Chris.

Bye,
	Jens




More information about the Snort-sigs mailing list