[Snort-sigs] Problem with pop3.rules and ftp.rules
tschenz-snort-sigs at ...1099...
Fri Feb 14 06:25:10 EST 2003
> Still looking good this morning! I had a couple of packets that
> appeared to be truncated (no CRLF at all) but that may not be snort's
I see the same behaviour with snort 2.0 (build 49), too. There seems to
be another problem in stream4 which produces these false postives. The
debug output I get seems show three "reassembly tries" for one session.
If the reassembled "chunks" match snort-signatures it alerts for the
HELO myhost -> alert
HELO myhost.domain -> alert
... the fully reassembled stream:
HELO myhost.domain.tld|0d0a| -> alert
I'll try to get a pcap-file of one of these false alert to mail it to
More information about the Snort-sigs